Ivan Kirillov
27 lines
643 B
YAML
27 lines
643 B
YAML
title: Webshell Remote Command Execution
|
|
id: c0d3734d-330f-4a03-aae2-65dacc6a8222
|
|
status: experimental
|
|
description: Detects posible command execution by web application/web shell
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1100
|
|
- attack.t1505.003
|
|
references:
|
|
- personal experience
|
|
author: Ilyas Ochkov, Beyu Denis, oscd.community
|
|
date: 2019/10/12
|
|
modified: 2019/11/04
|
|
logsource:
|
|
product: linux
|
|
service: auditd
|
|
detection:
|
|
selection:
|
|
type: 'SYSCALL'
|
|
SYSCALL: 'execve'
|
|
key: 'detect_execve_www'
|
|
condition: selection
|
|
falsepositives:
|
|
- Admin activity
|
|
- Crazy web applications
|
|
level: critical
|