Detection rules › Splunk
Shell Spawned by Web Server - Windows (Windows Event Log)
This use case detects web server processes with child processes which can be an indication of a web shell attack
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1505.003 Server Software Component: Web Shell, T1505.004 Server Software Component: IIS Components |
| Stealth | T1218 System Binary Proxy Execution |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaml
id: '18748.32126'
title: Shell Spawned by Web Server - Windows
description: 'This use case detects web server processes with child processes which
can be an indication of a web shell attack. - Threat Actor Association: Alloy Taurus/Gallium,
OilRig, Volt Typhoon (Bronze Silhouette, Vanguard Panda) -- Software Association:
ALPHV/BlackCat, Clop'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR
"<EventID>4688<" OR Type=Process) (TERM(w3wp) OR TERM(httpd) OR TERM(nginx) OR TERM(php-cgi)
OR TERM(tomcat) OR TERM(UMWorkerProcess)) (TERM(cmd) OR TERM(powershell) OR TERM(pwsh)
OR TERM(csc) OR TERM(sh) OR TERM(bash) OR TERM(bitsadmin))| regex Creator_Process_Name="(?i)(w3wp|httpd|nginx|php-cgi|tomcat|UMWorkerProcess)\.exe"|
regex New_Process_Name="(?i)(cmd|powershell|pwsh|csc|sh|bash|bitsadmin)\.exe" |
table _time, host, user, signature_id, process, process_*, parent_process_* | bin
span=1s | stats values(*) as * by _time, host, process_name | eventstats c(process_name)
as c_process_name by process_name| where c_process_name < 25 '
techniques:
- persistence:server software component:iis components
- persistence:server software component:web shell
- defense-evasion:system binary proxy execution
technique_id:
- T1505.004
- T1505.003
- T1218
data_category:
- Windows event logs
references:
- https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/
- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR "<EventID>4688<" OR Type=Process) (TERM(w3wp) OR TERM(httpd) OR TERM(nginx) OR TERM(php-cgi) OR TERM(tomcat) OR TERM(UMWorkerProcess)) (TERM(cmd) OR TERM(powershell) OR TERM(pwsh) OR TERM(csc) OR TERM(sh) OR TERM(bash) OR TERM(bitsadmin))
Stage 2: regex
| regex Creator_Process_Name="(?i)(w3wp|httpd|nginx|php-cgi|tomcat|UMWorkerProcess)\.exe"
Stage 3: regex
| regex New_Process_Name="(?i)(cmd|powershell|pwsh|csc|sh|bash|bitsadmin)\.exe"
Stage 4: table
| table _time, host, user, signature_id, process, process_*, parent_process_*
Stage 5: bucket
| bin span=1s
Stage 6: stats
| stats values(*) as * by _time, host, process_name
Stage 7: eventstats
| eventstats c(process_name) as c_process_name by process_name
Stage 8: where
| where c_process_name < 25
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Creator_Process_Name | regex_match |
|
EventCode | eq |
|
New_Process_Name | regex_match |
|
c_process_name | lt |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4688<" |
| 1 | TERM |
| 1 | w3wp |
| 1 | TERM |
| 1 | httpd |
| 1 | TERM |
| 1 | nginx |
| 1 | "php-cgi" |
| 1 | TERM |
| 1 | tomcat |
| 1 | TERM |
| 1 | UMWorkerProcess |
| 1 | TERM |
| 1 | cmd |
| 1 | TERM |
| 1 | powershell |
| 1 | TERM |
| 1 | pwsh |
| 1 | TERM |
| 1 | csc |
| 1 | TERM |
| 1 | sh |
| 1 | TERM |
| 1 | bash |
| 1 | TERM |
| 1 | bitsadmin |