Persistence (TA0003)(external, opens in a new tab or window)
Execution (TA0002)(external, opens in a new tab or window)
Command and Control (TA0011)(external, opens in a new tab or window)
Initial Access (TA0001)(external, opens in a new tab or window)
text code block:event.category:process and host.os.type:linux and event.type:start and event.action:exec and ( process.parent.name:( apache2 or asterisk or caddy or daphne or flask or frankenphp or httpd or httpd.worker or lswsctrl or mongrel_rails or nginx or php-cgi or php-cgi.cagefs or php-fcgi or starman or sw-engine-fpm or uvicorn or uwsgi or varnishd or waitress-serve or zabbix_server or *.cgi or *.fcgi or gunicorn* or php-fpm* ) or process.parent.name:ruby* and process.parent.command_line:(*passenger* or *puma* or *rails*) or process.parent.name:python* and process.parent.command_line:( *app.py* or *asgi.py* or *django* or *flask* or *hypercorn* or *server.py* or *uvicorn* or *wsgi.py* ) or process.parent.name:perl* and process.parent.command_line:*plackup* or process.parent.name:java and process.parent.args:( com.atlassian.jira.startup.Launcher or com.caucho.server.resin.Resin or com.google.gerrit.pgm.Daemon or com.ibm.ws.kernel.boot.cmdline.Bootstrap or com.ibm.ws.runtime.WsServer or com.sun.enterprise.glassfish.bootstrap.ASMain or io.dropwizard.cli.ServerCommand or io.helidon.microprofile.server.Main or io.micronaut.runtime.Micronaut or io.quarkus.runner.GeneratedMain or io.vertx.core.Launcher or org.apache.catalina.startup.Bootstrap or org.eclipse.jetty.start.Main or org.elasticsearch.bootstrap.Elasticsearch or org.jboss.modules.Main or play.core.server.ProdServerStart or weblogic.Server or *-Dsolr.solr.home=* or *BitbucketServerLauncher* or *jenkins.war* or *quarkus-run.jar* or *weblogic-launcher.jar* or -Dcatalina.base=* or -Djboss.home.dir=* or -Djetty.home=* or -Dweblogic.Name=* or io.helidon.webserver* or org.apereo.cas* or org.keycloak* or org.springframework.boot.loader.* ) ) and process.executable:* and process.command_line:* and not ( process.name:( arp or aws or az or base16 or base32 or base64 or base64mime or base64pem or base64plain or base64url or basenc or basez or bash or busybox or cat or chmod or chpasswd or cp or crictl or csh or ctr or curl or dash or df or dig or docker or du or fish or gcloud or helm or host or htop or ifconfig or ip or ksh or kubectl or ln or lsblk or lsof or ltrace or mkdir or mksh or mv or nc or nc.openbsd or nc.traditional or ncat or netcat or ngrok or nmap or nslookup or openssl or passwd or rm or sh or socat or ss or strace or sudo or tcpdump or tcsh or telnet or top or touch or traceroute or wget or whoami or xxd or zsh or *.bin or *.elf or *.jar or *.lua* or *.mjs or *.js or *.php* or *.pl or *.py or *.rb or *.sh or .* ) or process.executable:( ./* or /boot/* or /dev/shm/* or /home/*/* or /lost+found/* or /proc/* or /root/* or /run/* or /sys/* or /tmp/* or /var/mail/* or /var/run/* or /var/tmp/* or /var/www/* ) or process.parent.name:java and not process.parent.executable:/u0*/* or process.working_directory:(/u0*/*/sysman/emd or /u0*/app/oracle/product/*/db_* or /u0*/app/oracle/product/*/dbhome_* or /var/www/*edoc*) or process.args:(/usr/bin/rsvg-convert* or /usr/local/bin/wkhtmltopdf*) or process.command_line:*/opt/sc/bin/showvulns* )
Install detection rules in Elastic Security
Detect Unusual Child Execution via Web Server in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).