Detectionhightest
Webshell Tool Reconnaissance Activity
Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Cian Heasley, Florian Roth (Nextron Systems)Created Wed Jul 22Updated Thu Nov 09f64e5c19-879c-4bae-b471-6d84c8339677windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic4 selectors
detection:
selection_webserver_image:
ParentImage|endswith:
- '\caddy.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\w3wp.exe'
- '\ws_tomcatservice.exe'
selection_webserver_characteristics_tomcat1:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentImage|contains:
- '-tomcat-'
- '\tomcat'
selection_webserver_characteristics_tomcat2:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
CommandLine|contains:
- 'CATALINA_HOME'
- 'catalina.jar'
selection_recon:
CommandLine|contains:
- 'perl --help'
- 'perl -h'
- 'python --help'
- 'python -h'
- 'python3 --help'
- 'python3 -h'
- 'wget --help'
condition: 1 of selection_webserver_* and selection_reconFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
f64e5c19-879c-4bae-b471-6d84c8339677
Status
test
Level
high
Type
Detection
Created
Wed Jul 22
Modified
Thu Nov 09
Path
rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml
Raw Tags
attack.persistenceattack.t1505.003