2019-11-04 18:08:17 +03:00
|
|
|
title: Webshell Remote Command Execution
|
2019-11-12 23:12:27 +01:00
|
|
|
id: c0d3734d-330f-4a03-aae2-65dacc6a8222
|
2019-10-21 11:54:21 +02:00
|
|
|
status: experimental
|
2019-11-04 18:08:17 +03:00
|
|
|
description: Detects posible command execution by web application/web shell
|
2019-10-21 11:14:24 +02:00
|
|
|
tags:
|
2019-10-21 11:54:21 +02:00
|
|
|
- attack.persistence
|
2019-11-04 18:08:17 +03:00
|
|
|
- attack.t1100
|
2019-10-21 11:54:21 +02:00
|
|
|
references:
|
|
|
|
|
- personal experience
|
2019-11-04 18:08:17 +03:00
|
|
|
author: Ilyas Ochkov, Beyu Denis, oscd.community
|
2019-10-21 11:54:21 +02:00
|
|
|
date: 2019/10/12
|
2019-11-04 18:08:17 +03:00
|
|
|
modified: 2019/11/04
|
2019-10-21 11:54:21 +02:00
|
|
|
logsource:
|
2019-10-21 11:14:24 +02:00
|
|
|
product: linux
|
2019-10-21 11:54:21 +02:00
|
|
|
service: auditd
|
|
|
|
|
detection:
|
2019-10-21 11:14:24 +02:00
|
|
|
selection:
|
|
|
|
|
type: 'SYSCALL'
|
|
|
|
|
SYSCALL: 'execve'
|
|
|
|
|
key: 'detect_execve_www'
|
2019-10-21 11:54:21 +02:00
|
|
|
condition: selection
|
|
|
|
|
falsepositives:
|
2019-10-21 11:14:24 +02:00
|
|
|
- Admin activity
|
2019-10-21 11:54:21 +02:00
|
|
|
- Crazy web applications
|
2019-10-22 05:50:49 +02:00
|
|
|
level: critical
|
