Persistence (TA0003)(external, opens in a new tab or window)
Execution (TA0002)(external, opens in a new tab or window)
Command and Control (TA0011)(external, opens in a new tab or window)
Initial Access (TA0001)(external, opens in a new tab or window)
text code block:event.category:process and host.os.type:linux and event.type:start and event.action:exec and ( process.parent.name:( apache2 or asterisk or caddy or daphne or flask or frankenphp or httpd or httpd.worker or lswsctrl or mongrel_rails or nginx or php-cgi or php-cgi.cagefs or php-fcgi or starman or sw-engine-fpm or uvicorn or uwsgi or varnishd or waitress-serve or zabbix_server or *.cgi or *.fcgi or gunicorn* or php-fpm* ) or process.parent.name:ruby* and process.parent.command_line:(*passenger* or *puma* or *rails*) or process.parent.name:python* and process.parent.command_line:( *app.py* or *asgi.py* or *django* or *flask* or *hypercorn* or *server.py* or *uvicorn* or *wsgi.py* ) or process.parent.name:perl* and process.parent.command_line:*plackup* or process.parent.name:java and process.parent.args:( com.atlassian.jira.startup.Launcher or com.caucho.server.resin.Resin or com.google.gerrit.pgm.Daemon or com.ibm.ws.kernel.boot.cmdline.Bootstrap or com.ibm.ws.runtime.WsServer or com.sun.enterprise.glassfish.bootstrap.ASMain or io.dropwizard.cli.ServerCommand or io.helidon.microprofile.server.Main or io.micronaut.runtime.Micronaut or io.quarkus.runner.GeneratedMain or io.vertx.core.Launcher or org.apache.catalina.startup.Bootstrap or org.eclipse.jetty.start.Main or org.elasticsearch.bootstrap.Elasticsearch or org.jboss.modules.Main or play.core.server.ProdServerStart or weblogic.Server or *-Dsolr.solr.home=* or *BitbucketServerLauncher* or *jenkins.war* or *quarkus-run.jar* or *weblogic-launcher.jar* or -Dcatalina.base=* or -Djboss.home.dir=* or -Djetty.home=* or -Dweblogic.Name=* or io.helidon.webserver* or org.apereo.cas* or org.keycloak* or org.springframework.boot.loader.* ) ) and process.command_line:* and process.name:(bash or busybox or csh or dash or fish or ksh or mksh or sh or tcsh or zsh) and process.args:(-c or -cl or -lc) and not ( process.parent.name:java and not process.parent.executable:/u0*/* or process.working_directory:(/u0*/*/sysman/emd or /u0*/app/oracle/product/*/db_* or /u0*/app/oracle/product/*/dbhome_* or /var/www/*edoc*) or process.args:(/usr/bin/rsvg-convert* or /usr/local/bin/wkhtmltopdf*) or process.command_line:*/opt/sc/bin/showvulns* )
Install detection rules in Elastic Security
Detect Unusual Command Execution via Web Server in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).