Persistence (TA0003)(external, opens in a new tab or window)
Initial Access (TA0001)(external, opens in a new tab or window)
text code block:process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( process.parent.name in ( "nginx", "apache2", "httpd", "caddy", "mongrel_rails", "uwsgi", "daphne", "httpd.worker", "flask", "php-cgi", "php-fcgi", "php-cgi.cagefs", "lswsctrl", "varnishd", "uvicorn", "waitress-serve", "starman", "frankenphp", "zabbix_server", "asterisk", "sw-engine-fpm" ) or process.parent.name like ("php-fpm*", "gunicorn*", "*.cgi", "*.fcgi") or ( process.parent.name like "ruby*" and process.parent.command_line like~ ("*puma*", "*rails*", "*passenger*") ) or ( process.parent.name like "python*" and process.parent.command_line like~ ( "*hypercorn*", "*flask*", "*uvicorn*", "*django*", "*app.py*", "*server.py*", "*wsgi.py*", "*asgi.py*" ) ) or (process.parent.name like "perl*" and process.parent.command_line like~ "*plackup*") or ( process.parent.name == "java" and ( process.parent.args like~ ( /* Tomcat */ "org.apache.catalina.startup.Bootstrap", "-Dcatalina.base=*", /* Jetty */ "org.eclipse.jetty.start.Main", "-Djetty.home=*", /* WildFly / JBoss */ "org.jboss.modules.Main", "-Djboss.home.dir=*", /* WebLogic */ "weblogic.Server", "-Dweblogic.Name=*", "*weblogic-launcher.jar*", /* WebSphere traditional + Liberty */ "com.ibm.ws.runtime.WsServer", "com.ibm.ws.kernel.boot.cmdline.Bootstrap", /* GlassFish */ "com.sun.enterprise.glassfish.bootstrap.ASMain", /* Resin */ "com.caucho.server.resin.Resin", /* Spring Boot */ "org.springframework.boot.loader.*", /* Quarkus */ "*quarkus-run.jar*", "io.quarkus.runner.GeneratedMain", /* Micronaut */ "io.micronaut.runtime.Micronaut", /* Dropwizard */ "io.dropwizard.cli.ServerCommand", /* Play */ "play.core.server.ProdServerStart", /* Helidon */ "io.helidon.microprofile.server.Main", "io.helidon.webserver*", /* Vert.x */ "io.vertx.core.Launcher", /* Keycloak */ "org.keycloak*", /* Apereo CAS */ "org.apereo.cas*", /* Elasticsearch */ "org.elasticsearch.bootstrap.Elasticsearch", /* Atlassian / Gerrit */ "com.atlassian.jira.startup.Launcher", "*BitbucketServerLauncher*", "com.google.gerrit.pgm.Daemon", /* Solr */ "*-Dsolr.solr.home=*", /* Jenkins */ "*jenkins.war*" ) or ?process.working_directory like "/u0?/*" ) ) ) and ( process.executable like ( "/tmp/*", "/var/tmp/*", "/dev/shm/*", "./*", "/run/*", "/var/run/*", "/boot/*", "/sys/*", "/lost+found/*", "/proc/*", "/var/mail/*", "/var/www/*", "/home/*/*", "/root/*" ) or process.name like~ ( // Hidden processes ".*", // Suspicious file formats "*.elf", "*.sh", "*.py", "*.rb", "*.pl", "*.lua*", "*.php*", ".js", "*.bin", "*.jar", "*.mjs", // Network utilities often used for reverse shells "nc", "netcat", "ncat", "telnet", "socat", "openssl", "nc.openbsd", "ngrok", "nc.traditional", // Cloud CLI "az", "gcloud", "aws", "kubectl", "helm", "docker", "ctr", "crictl", // Misc. tools "whoami", "ifconfig", "ip", "ss", "top", "htop", "df", "du", "lsblk", "lsof", "tcpdump", "strace", "ltrace", "curl", "wget", "dig", "nslookup", "host", "nmap", "arp", "traceroute", "cat", "touch", "cp", "mv", "rm", "mkdir", "ln", "chmod", "sudo", "xxd", "base64", "basez", "base64plain", "base64url", "base64mime", "base64pem", "basenc", "base32", "base16", "chpasswd", "passwd" ) )
Install detection rules in Elastic Security
Detect Suspicious Child Execution via Web Server in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).