Nasreddine Bencherchali
598d29f811
chore: change tags, date, modified fields to comply with v2 of the Sigma spec. chore: update the related type from `obsoletes` to `obsolete`. chore: update local json schema to the latest version.
51 lines
1.5 KiB
YAML
51 lines
1.5 KiB
YAML
title: Linux Webshell Indicators
|
|
id: 818f7b24-0fba-4c49-a073-8b755573b9c7
|
|
status: test
|
|
description: Detects suspicious sub processes of web server processes
|
|
references:
|
|
- https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
|
|
- https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
|
|
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
|
|
date: 2021-10-15
|
|
modified: 2022-12-28
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1505.003
|
|
logsource:
|
|
product: linux
|
|
category: process_creation
|
|
detection:
|
|
selection_general:
|
|
ParentImage|endswith:
|
|
- '/httpd'
|
|
- '/lighttpd'
|
|
- '/nginx'
|
|
- '/apache2'
|
|
- '/node'
|
|
- '/caddy'
|
|
selection_tomcat:
|
|
ParentCommandLine|contains|all:
|
|
- '/bin/java'
|
|
- 'tomcat'
|
|
selection_websphere: # ? just guessing
|
|
ParentCommandLine|contains|all:
|
|
- '/bin/java'
|
|
- 'websphere'
|
|
sub_processes:
|
|
Image|endswith:
|
|
- '/whoami'
|
|
- '/ifconfig'
|
|
- '/ip'
|
|
- '/bin/uname'
|
|
- '/bin/cat'
|
|
- '/bin/crontab'
|
|
- '/hostname'
|
|
- '/iptables'
|
|
- '/netstat'
|
|
- '/pwd'
|
|
- '/route'
|
|
condition: 1 of selection_* and sub_processes
|
|
falsepositives:
|
|
- Web applications that invoke Linux command line tools
|
|
level: high
|