Web Server Exploitation Detected via Defend for Containers

Last updated 21 days ago on 2026-03-05

Created 2 months ago on 2026-02-06

About

This rule detects the exploitation of a web server through the execution of a suspicious process by common web server user accounts. Attackers may upload a web shell to a web server to maintain access to the system.

Tags

Data Source: Elastic Defend for ContainersDomain: ContainerOS: LinuxUse Case: Threat DetectionTactic: PersistenceTactic: ExecutionTactic: Command and ControlLanguage: eql

Severity

high

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

↳ Server Software Component (T1505)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

↳ Command and Scripting Interpreter (T1059)(external, opens in a new tab or window)

Command and Control (TA0011)(external, opens in a new tab or window)

↳ Application Layer Protocol (T1071)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-cloud_defend.process*
Related Integrations: cloud_defend(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗process where event.type == "start" and event.action == "exec" and process.parent.interactive == false and
container.id like "?*" and (
  process.parent.name in (
    "nginx", "apache2", "httpd", "caddy", "mongrel_rails", "uwsgi", "daphne", "httpd.worker", "flask",
    "php-cgi", "php-fcgi", "php-cgi.cagefs", "lswsctrl", "varnishd", "uvicorn", "waitress-serve", "starman"
  ) or
  process.parent.name like ("php-fpm*", "gunicorn*", "*.cgi", "*.fcgi") or
  (process.parent.name like "ruby*" and process.parent.args like~ ("*puma*", "*rails*", "*passenger*")) or
  (process.parent.name like "python*" and process.parent.args like~ (
    "*hypercorn*", "*flask*", "*uvicorn*", "*django*", "*app.py*", "*server.py*", "*wsgi.py*", "*asgi.py*"
  )) or
  (process.parent.name like "perl*" and process.parent.args like~ "*plackup*") or
  (process.parent.name == "node" and process.parent.args like~ (
    "*next start*", "*--port*", "*PORT=*", "*HOST=*", "*0.0.0.0*", "*/dist/*.js*", "*/build/*.js*", "*/server/*.js*",
    "*/app/*.js*","*/apps/*/*.js*", "*/index.js*", "*/main.js*", "*/srv/*", "*/opt/*", "*/var/www/*"
    ) and
    not process.parent.args like ("/opt/cursor-agent/*", "/home/*/*", "/root/*", "/opt/vscode-server/*", "/usr/lib/node_modules/openclaw/dist/index.js") 
  ) or
  (process.parent.name == "java" and process.parent.args like~ (
    /* Tomcat */
    "org.apache.catalina.startup.Bootstrap", "-Dcatalina.base=*",

    /* Jetty */
    "org.eclipse.jetty.start.Main", "-Djetty.home=*",

    /* WildFly / JBoss */
    "org.jboss.modules.Main", "-Djboss.home.dir=*",

    /* WebLogic */
    "weblogic.Server", "-Dweblogic.Name=*", "*weblogic-launcher.jar*",

    /* WebSphere traditional + Liberty */
    "com.ibm.ws.runtime.WsServer", "com.ibm.ws.kernel.boot.cmdline.Bootstrap",

    /* GlassFish */
    "com.sun.enterprise.glassfish.bootstrap.ASMain",

    /* Resin */
    "com.caucho.server.resin.Resin",

    /* Spring Boot */
    "org.springframework.boot.loader.*",

    /* Quarkus */
    "*quarkus-run.jar*", "io.quarkus.runner.GeneratedMain",

    /* Micronaut */
    "io.micronaut.runtime.Micronaut",

    /* Dropwizard */
    "io.dropwizard.cli.ServerCommand",

    /* Play */
    "play.core.server.ProdServerStart",

    /* Helidon */
    "io.helidon.microprofile.server.Main", "io.helidon.webserver*",

    /* Vert.x */
    "io.vertx.core.Launcher",

    /* Keycloak */
    "org.keycloak*",

    /* Apereo CAS */
    "org.apereo.cas*",

    /* Elasticsearch */
    "org.elasticsearch.bootstrap.Elasticsearch",

    /* Atlassian / Gerrit */
    "com.atlassian.jira.startup.Launcher", "*BitbucketServerLauncher*", "com.google.gerrit.pgm.Daemon",

    /* Solr */
    "*-Dsolr.solr.home=*"
    )
  )
) and
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "busybox") and
process.args in ("-c", "-cl", "-lc") and (
  process.args like (
    /* Suspicious Paths */
    "* /tmp/* ", "* /var/tmp/* ", "* /dev/shm/*", "* /var/www/*", "* /run/*", "* /var/run/*",

    /* Interpreter Execution */
    "*python* -c*", "*php* -r*", "*perl* -e*", "*ruby* -e*", "*lua* -e*", "*node * -e *",

    /* Encoding / Decoding */
    "*base64 -*d*", "*|*base64 *", "*xxd *", "*openssl*enc * -d *",

    /* Reverse Shells */
    "*netcat *", "* nc *", "*ncat *", "*/dev/tcp*", "*/dev/udp/*", " *socat *", "*openssl*s_client *", "*stty*raw*-echo*",

    /* File Access */
    "*>*/etc/cron*", "*/etc/ssh*", "*/home/*/.ssh/*", "*/root/.ssh*", "*~/.ssh/*", "*/etc/shadow*", "*/etc/passwd*", "*chpasswd*",
      
    /* AWS Credentials */
    "*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_token*", "*accesskeyid*", "*secretaccesskey*",
    "*access_key*", "*.aws/credentials*", "*/.aws/config*",
    
    /* Azure Credentials */
    "*AZURE_CLIENT_ID*", "*AZURE_TENANT_ID*", "*AZURE_CLIENT_SECRET*", "*AZURE_FEDERATED_TOKEN_FILE*",
    "*IDENTITY_ENDPOINT*", "*IDENTITY_HEADER*", "*MSI_ENDPOINT*", "*MSI_SECRET*", "*/.azure/*",
    "*/run/secrets/azure/*",
    
    /* GCP Credentials */
    "*/.config/gcloud/*", "*application_default_credentials.json*", "*type: service_account*",
    "*client_email*", "*private_key_id*", "*private_key*", "*/run/secrets/google/*", "*GOOGLE_APPLICATION_CREDENTIALS*",
    
    /* Misc. Cloud */
    "*/.docker/config.json*", "*/.npmrc*", "*/secrets/kubernetes.io/serviceaccount/*",

    /* Helpers */
    "*nohup*", "*setsid *", "*timeout *sh -c *", "*disown*", "*env *sh *-c*",

    /* Miscellaneous */
    "*echo *", "*chattr *", "*busybox *",  "*#!*", "*chmod +x *", "*chmod 777*", 
    
    /* Decompression */
    "*gzip -*d *", "*bzip2 -*d *", "*xz -*d *", "*tar -*x*",
     
     /* Path Traversal */
     "*../../../*etc/*", "*/.../*", "*../../../*home/*/*", "*../../../*root/*",

     "*|*sh", "*|*python*", "*|*php*", "*|*perl*", "*|*ruby*", "*|*node*", "*|*lua*", "*|*busybox*"
  ) or
  (
    process.args like ("*wget *", "*curl *") and (
      (
        process.args like~ ("* -o *", "* --output*", "* -o- *") and
        process.args regex ".*[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}.*"
      ) or
      (
        process.args like ("*http://*", "*https://*") and
        process.args like (
          "* /tmp/*", "* /var/tmp/*", "* /dev/shm/* ", "* /var/www/*", "* ~/*",
          "* /home/*", "* /run/*", "* /var/run/*"
        )
      )
    )
  )
) and
not (
  (process.parent.name == "nginx" and process.args like ("chmod 777 /etc/resty-*", "resty*")) or
  (process.parent.name == "apache2" and (
    process.args in (
      "/usr/local/bin/php -r 'echo phpversion();'",
      "/usr/local/bin/php -r 'echo phpversion();'",
      "/usr/bin/php -r 'echo phpversion();'"
    ) or
    process.args like """bash -c "( /home/*/apps/richdocumentscode/collabora/Collabora_Online.AppImage*"""
    )
  ) or
  (process.parent.name like "php-fpm*" and process.args in (
    "/usr/bin/php -r 'echo phpversion();'",
    "/usr/bin/php -r 'echo phpversion();'",
    "php -r 'print_r(phpversion());'",
    "chattr -i -a /usr/local/virtualizor/license2.php"
    )
  ) or
  (process.parent.name == "php-cgi" and process.args like (
    "nohup php /home/*/public_html/lockindex.php index.php >/dev/null 2>&1 &",
    "nohup php /home/*/public_html/wp-content/* >> /dev/null 2>&1 &",
    "nohup php /home/*/public_html/wp-includes/* >> /dev/null 2>&1 &",
    "nohup php /home/*/public_html/*/wp-content/* >> /dev/null 2>&1 &"
    )
  )
)

Install detection rules in Elastic Security

Detect Web Server Exploitation Detected via Defend for Containers in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).