T1505.003 Linux Webshell Indicators

T1505.003 - Linux Webshell Indicators

DESCRIPTION

Detects suspicious linux sub processes of web server processes.

Reference:

https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
https://github.com/SigmaHQ/sigma/blob/bd4542448564d8c9bbdac8a6b32b3975af153772/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml

Related

common persistence - Linux

ATT&CK TACTICS

An error occurred while fetching content from {{ T1505 }}: 'T1505' is undefined

Data Source(s): Process

SENTINEL RULE QUERY

let selection_general = @".*(/httpd|/lighttpd|/nginx|/apache2|/node|/caddy)$";
let selection_websphere = dynamic(['/bin/java','websphere']);
let sub_processes= @"/(whoami|ifconfig|ip|bin/uname|bin/cat|bin/crontab|hostname|iptables|netstat|pwd|route)$";
let filter_command = dynamic(['httpd -D FOREGROUND','apache2 -D FOREGROUND']);
DeviceProcessEvents
| where InitiatingProcessFolderPath matches regex selection_general or  InitiatingProcessCommandLine has_all (selection_websphere)
| where FolderPath matches regex sub_processes
| where InitiatingProcessCommandLine !in (filter_command)
//| summarize count(), earliest_time=min(TimeGenerated), set_DeviceName=make_set(DeviceName), set_AccountName=make_set(AccountName) by TenantId, InitiatingProcessFolderPath,InitiatingProcessCommandLine, FolderPath, ProcessCommandLine, SHA256

Triage

1. Remove the comment "//" in 'summarize' statement in above KQL to assist in analysis and removing data duplicates.
2. Examine the sub processes (under FolderPath) and the command-line whether the activity is suspicious
3. Check for additional suspicious sub processes detected from the same hosts
4. Verify if the location of the parent process and the process is expected

FalsePositive

Web applications that invoke Linux command line tools

VERSION

Version 2.0 (date: 09/02/2024)