SigmaHQ/rules/windows/process_creation/win_webshell_spawn.yml
2020-01-30 16:07:37 +01:00

33 lines
873 B
YAML

title: Shells Spawned by Web Servers
id: 8202070f-edeb-4d31-a010-a26c72ac5600
status: experimental
description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
author: Thomas Patzke
date: 2019/01/16
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage:
- '*\w3wp.exe'
- '*\httpd.exe'
- '*\nginx.exe'
- '*\php-cgi.exe'
Image:
- '*\cmd.exe'
- '*\sh.exe'
- '*\bash.exe'
- '*\powershell.exe'
condition: selection
fields:
- CommandLine
- ParentCommandLine
tags:
- attack.privilege_escalation
- attack.persistence
- attack.t1100
falsepositives:
- Particular web applications may spawn a shell process legitimately
level: high