T1505.003 Linux Webshell Indicators
T1505.003 - Linux Webshell Indicators¶
DESCRIPTION¶
Detects suspicious linux sub processes of web server processes.
Reference:
https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
https://github.com/SigmaHQ/sigma/blob/bd4542448564d8c9bbdac8a6b32b3975af153772/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml
Related
common persistence - Linux
ATT&CK TACTICS¶
An error occurred while fetching content from {{ T1505 }}: 'T1505' is undefined
Data Source(s): Process
SENTINEL RULE QUERY¶
let selection_general = @".*(/httpd|/lighttpd|/nginx|/apache2|/node|/caddy)$";
let selection_websphere = dynamic(['/bin/java','websphere']);
let sub_processes= @"/(whoami|ifconfig|ip|bin/uname|bin/cat|bin/crontab|hostname|iptables|netstat|pwd|route)$";
let filter_command = dynamic(['httpd -D FOREGROUND','apache2 -D FOREGROUND']);
DeviceProcessEvents
| where InitiatingProcessFolderPath matches regex selection_general or InitiatingProcessCommandLine has_all (selection_websphere)
| where FolderPath matches regex sub_processes
| where InitiatingProcessCommandLine !in (filter_command)
//| summarize count(), earliest_time=min(TimeGenerated), set_DeviceName=make_set(DeviceName), set_AccountName=make_set(AccountName) by TenantId, InitiatingProcessFolderPath,InitiatingProcessCommandLine, FolderPath, ProcessCommandLine, SHA256
Triage¶
- Remove the comment "//" in 'summarize' statement in above KQL to assist in analysis and removing data duplicates.
- Examine the sub processes (under FolderPath) and the command-line whether the activity is suspicious
- Check for additional suspicious sub processes detected from the same hosts
- Verify if the location of the parent process and the process is expected
FalsePositive¶
Web applications that invoke Linux command line tools
VERSION¶
Version 2.0 (date: 09/02/2024)