Suspicious Process By Web Server Process
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "Process started" AND (PARENTPROCESSNAME endswith "\caddy.exe,\httpd.exe,\nginx.exe,\php-cgi.exe,\php.exe,\tomcat.exe,\UMWorkerProcess.exe,\w3wp.exe,\ws_TomcatService.exe" OR (PARENTPROCESSNAME endswith "\java.exe,\javaw.exe" AND PARENTPROCESSNAME contains "-tomcat-,\tomcat") OR (PARENTPROCESSNAME endswith "\java.exe,\javaw.exe" AND PARENTPROCESSCOMMANDLINE contains "CATALINA_HOME,catalina.home,catalina.jar")) AND (PROCESSNAME endswith "\arp.exe,\at.exe,\bash.exe,\bitsadmin.exe,\certutil.exe,\cmd.exe,\cscript.exe,\dsget.exe,\hostname.exe,\nbtstat.exe,\net.exe,\net1.exe,\netdom.exe,\netsh.exe,\nltest.exe" OR PROCESSNAME endswith "\ntdsutil.exe,\powershell_ise.exe,\powershell.exe,\pwsh.exe,\qprocess.exe,\query.exe,\qwinsta.exe,\reg.exe,\rundll32.exe,\sc.exe,\sh.exe,\wmic.exe,\wscript.exe,\wusa.exe") AND ((PARENTPROCESSNAME notendswith "\java.exe" OR COMMANDLINE notendswith "Windows\system32\cmd.exe /c C:\ManageEngine\ADManager "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt") AND (PARENTPROCESSNAME notendswith "\java.exe" OR (COMMANDLINE notcontains "sc query" OR COMMANDLINE notcontains "ADManager Plus"))) select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
