detection.wiki

Server Software Component: Web Shell T1505.003

Tactic: Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.

Events covered

9 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 2A process changed a file creation time
SysmonEvent ID 11FileCreate
SysmonEvent ID 23FileDelete (File Delete archived)
Security-AuditingEvent ID 4688A new process has been created.
ESFcreateFile or Directory Create (NOTIFY)
ESFrenameFile Rename (NOTIFY)
Linux-AuditdEvent ID 1300SYSCALL
Sysmon-for-LinuxEvent ID 1Process Create

Authoring guide

Patterns shared across the 77 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (63 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
process_name20eq 8, in 8, starts_with 4, wildcard 3, match 2bash, cmd.exe, powershell.exe, busybox, csh
CommandLine19contains 13, is_not_null 2, wildcard 2, ends_with 1, regex_match 1, starts_with 1-classpath , .payload, msexchange, -af , -c
Image19ends_with 14, eq 2, contains 1, is_not_null 1, starts_with 1, wildcard 1\cmd.exe, \w3wp.exe, \bash.exe, ./, ./*
TargetFilename18contains 7, ends_with 6, in 3, regex_match 3, starts_with 3, wildcard 2.ashx, .asp, .aspx, *\\httpproxy\\oab\\*, *\\httpproxy\\owa\\auth\\*
event.type17eq 16, ne 1start, creation, deletion
EventType15eq 13, in 2exec, creation, IntrusionEvent, ProcessRollup2, connection_accepted
ParentImage14ends_with 9, contains 4, regex_match 2, wildcard 2, eq 1, starts_with 1-tomcat-, \caddy.exe, \httpd.exe, /u0*/*, \w3wp.exe
host.os.type13eq 11, in 2
parent_process_name13eq 11, in 7, starts_with 7, wildcard 3, ends_with 2apache2, *.cgi, *.fcgi, .cgi, .fcgi
cs-method11eq 10, in 1GET, POST, PUT
ParentCommandLine9contains 7, ne 1, wildcard 1app.py, asgi.py, django, */sap.com*/servlet_jsp/irj/*, *\sap.com*\servlet_jsp\irj\*
cs-uri-query8contains 7, starts_with 1, wildcard 1%2fdev%2ftcp, %2fetc%2fpasswd, %comspec%, &dwn=, &fn=
process.parent.args7wildcard 4, contains 3, eq 3, starts_with 2*-Dsolr.solr.home=*, *BitbucketServerLauncher*, *jenkins.war*, -Dcatalina.base=, -Djboss.home.dir=
OriginalFileName5eq 3, in 2cmd.exe, powershell.exe, powershell_ise.exe, appcmd.exe, csc.exe
c-uri5contains 2, in 2, eq 1*.jsp?cmd=*, *j&cmd=*, *logoimagehandler.ashx*args*, *logoimagehandler.ashx*clazz*, *logoimagehandler.ashx*method*

Top indicator values (1229 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
15606
EventTypeeq
exec
7171
parent_process_nameeq
java
78
ParentImageends_with
\w3wp.exe
612
cs-methodeq
GET
649
Imageends_with
\cmd.exe
5130
Imageends_with
\w3wp.exe
56
parent_process_namein
apache2
56
parent_process_namein
caddy
56
parent_process_namein
daphne
55
parent_process_namein
flask
55
parent_process_namein
httpd
56
parent_process_namein
httpd.worker
55
parent_process_namein
lswsctrl
55
parent_process_namein
mongrel_rails
55
parent_process_namein
nginx
56
parent_process_namein
php-cgi
55
parent_process_namein
php-cgi.cagefs
55
parent_process_namein
php-fcgi
55
parent_process_namein
uwsgi
55
parent_process_namestarts_with
perl
55
parent_process_namestarts_with
python
512
parent_process_namestarts_with
ruby
55
process_namein
bash
588
process_namein
csh
571
process_namein
dash
578
process_namein
fish
572
process_namein
ksh
573
process_namein
sh
583
process_namein
tcsh
569

Exclusions (290 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
parent_process_nameeq
java
3
parent_process_nameeq
apache2
2
parent_process_nameeq
nginx
2
parent_process_nameeq
php-cgi
2
CommandLinecontains
/opt/sc/bin/showvulns
2
CurrentDirectoryeq
/
2
CurrentDirectorystarts_with
/home/
2
CurrentDirectorywildcard
/u0*/*/sysman/emd
2
CurrentDirectorywildcard
/u0*/app/oracle/product/*/db_*
2
CurrentDirectorywildcard
/u0*/app/oracle/product/*/dbhome_*
2
CurrentDirectorywildcard
/var/www/*edoc*
2
ParentImagestarts_with
/vscode/vscode-server/
2
parent_process_namestarts_with
php-fpm
2
process.argsstarts_with
/usr/bin/rsvg-convert
2
process.argsstarts_with
/usr/local/bin/wkhtmltopdf
2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 31 rules

Elastic 22 rules

Splunk 20 rules

YARA-L 4 rules