Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious Process By Web Server Process

Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)Created Wed Jan 16Updated Tue Nov 268202070f-edeb-4d31-a010-a26c72ac5600windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic6 selectors
detection:
    selection_webserver_image:
        ParentImage|endswith:
            - '\caddy.exe'
            - '\httpd.exe'
            - '\nginx.exe'
            - '\php-cgi.exe'
            - '\php.exe'
            - '\tomcat.exe'
            - '\UMWorkerProcess.exe'  # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
            - '\w3wp.exe'
            - '\ws_TomcatService.exe'
    selection_webserver_characteristics_tomcat1:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        ParentImage|contains:
            - '-tomcat-'
            - '\tomcat'
    selection_webserver_characteristics_tomcat2:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        ParentCommandLine|contains:
            - 'CATALINA_HOME'
            - 'catalina.home'
            - 'catalina.jar'
    selection_anomaly_children:
        Image|endswith:
            - '\arp.exe'
            - '\at.exe'
            - '\bash.exe'
            - '\bitsadmin.exe'
            - '\certutil.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\dsget.exe'
            - '\hostname.exe'
            - '\nbtstat.exe'
            - '\net.exe'
            - '\net1.exe'
            - '\netdom.exe'
            - '\netsh.exe'
            - '\nltest.exe'
            - '\ntdsutil.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\qprocess.exe'
            - '\query.exe'
            - '\qwinsta.exe'
            - '\reg.exe'
            - '\rundll32.exe'
            - '\sc.exe'
            - '\sh.exe'
            - '\wmic.exe'
            - '\wscript.exe'
            - '\wusa.exe'
    filter_main_fp_1:
        ParentImage|endswith: '\java.exe'
        CommandLine|endswith: 'Windows\system32\cmd.exe /c C:\ManageEngine\ADManager "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt'
    filter_main_fp_2:
        ParentImage|endswith: '\java.exe'
        CommandLine|contains|all:
            - 'sc query'
            - 'ADManager Plus'
    condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_*
False Positives

Particular web applications may spawn a shell process legitimately

References
1
Resolving title…
media.defense.gov
MITRE ATT&CK
Rule Metadata
Rule ID
8202070f-edeb-4d31-a010-a26c72ac5600
Status
test
Level
high
Type
Detection
Created
Wed Jan 16
Modified
Tue Nov 26
Author
Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml
Raw Tags
attack.persistenceattack.initial-accessattack.t1505.003attack.t1190
View on GitHub