Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectioncriticaltest

Webshell Remote Command Execution

Detects possible command execution by web application/web shell

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Ilyas Ochkov, Beyu Denis, oscd.communityCreated Sat Oct 12Updated Fri Dec 05c0d3734d-330f-4a03-aae2-65dacc6a8222linux
Log Source
Linuxauditd
ProductLinux← raw: linux
Serviceauditd← raw: auditd

Definition

Required auditd configuration: -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www -a always,exit -F arch=b32 -S execveat -F euid=33 -k detect_execve_www -a always,exit -F arch=b64 -S execveat -F euid=33 -k detect_execve_www Change the number "33" to the ID of your WebServer user. Default: www-data:x:33:33

Detection Logic
Detection Logic1 selector
detection:
    selection:
        type: 'SYSCALL'
        SYSCALL:
            - 'execve'
            - 'execveat'
        euid: 33
    condition: selection
False Positives

Admin activity

Crazy web applications

References
1
Resolving title…
Personal Experience of the Author
2
Resolving title…
vaadata.com
MITRE ATT&CK
Rule Metadata
Rule ID
c0d3734d-330f-4a03-aae2-65dacc6a8222
Status
test
Level
critical
Type
Detection
Created
Sat Oct 12
Modified
Fri Dec 05
Author
Ilyas Ochkov, Beyu Denis, oscd.community
Path
rules/linux/auditd/syscall/lnx_auditd_web_rce.yml
Raw Tags
attack.persistenceattack.t1505.003
View on GitHub