[metadata] creation_date = "2023/03/04" integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2023/04/03" [rule] author = ["Elastic"] description = "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access." false_positives = [ """ Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior. """, ] from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Code Execution via Web Server" references = [ "https://pentestlab.blog/tag/web-shell/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", ] risk_score = 73 rule_id = "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.parent.executable : ( "/usr/sbin/nginx", "/usr/local/sbin/nginx", "/usr/sbin/apache", "/usr/local/sbin/apache", "/usr/sbin/apache2", "/usr/local/sbin/apache2", "/usr/sbin/php*", "/usr/local/sbin/php*", "/usr/sbin/lighttpd", "/usr/local/sbin/lighttpd", "/usr/sbin/hiawatha", "/usr/local/sbin/hiawatha", "/usr/local/bin/caddy", "/usr/local/lsws/bin/lswsctrl", "*/bin/catalina.sh" ) and process.name : ("*sh", "python*", "perl", "php*", "tmux") and process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd") ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" [[rule.threat.technique.subtechnique]] id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/"