title: Webshell Remote Command Execution
id: c0d3734d-330f-4a03-aae2-65dacc6a8222
status: experimental
description: Detects posible command execution by web application/web shell
tags:
    - attack.persistence
    - attack.t1100
references:
    - personal experience
author: Ilyas Ochkov, Beyu Denis, oscd.community
date: 2019/10/12
modified: 2019/11/04
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'SYSCALL'
        SYSCALL: 'execve'
        key: 'detect_execve_www'
    condition: selection
falsepositives:
    - Admin activity
    - Crazy web applications
level: critical