SigmaHQ/rules/windows/sysmon/sysmon_webshell_spawn.yml

title: Shells spawned by Web Servers
status: experimental
description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
author: Thomas Patzke
logsource:
    product: sysmon
detection:
    selection:
        EventLog: Microsoft-Windows-Sysmon/Operational
        EventID: 1
        ParentImage:
            - '*\w3wp.exe'
            - '*\httpd.exe'
            - '*\nginx.exe'
        Image:
            - '*\cmd.exe'
            - '*\sh.exe'
            - '*\bash.exe'
    condition: selection
falsepositives:
    - Particular web applications may spawn a shell process legitimately
level: high
Added experimental web 'shell_spawn' rule 2017-01-10 23:07:49 +00:00			`title: Shells spawned by Web Servers`
			`status: experimental`
			`description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`author: Thomas Patzke`
			`logsource:`
Removed lists from log source section 2017-02-19 10:08:23 +00:00			`product: sysmon`
Added experimental web 'shell_spawn' rule 2017-01-10 23:07:49 +00:00			`detection:`
			`selection:`
Rule review and cleanup * removed unnecessary one element lists from definitions * converted some lists of one element maps to maps because the resulting OR linkage would cause wrong result. 2017-02-15 22:53:08 +00:00			`EventLog: Microsoft-Windows-Sysmon/Operational`
			`EventID: 1`
			`ParentImage:`
			`- '*\w3wp.exe'`
			`- '*\httpd.exe'`
			`- '*\nginx.exe'`
			`Image:`
			`- '*\cmd.exe'`
			`- '*\sh.exe'`
			`- '*\bash.exe'`
Added experimental web 'shell_spawn' rule 2017-01-10 23:07:49 +00:00			`condition: selection`
			`falsepositives:`
			`- Particular web applications may spawn a shell process legitimately`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`level: high`