Detection rules › Kusto Query Language

Detect Suspicious Commands Initiated by Webserver Processes

Source: upstream

This query was originally published in the threat analytics report, Operation Soft Cell. Operation Soft Cell is a series of campaigns targeting users' call logs at telecommunications providers throughout the world. These attacks date from as early as 2012. Operation Soft Cell operators sometimes use legitimate web server processes to launch commands, especially for network discovery and user/owner discovery. The following query detects activity of this kind. Reference - https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059` Command and Scripting Interpreter
Persistence	`T1574` Hijack Execution Flow
Privilege Escalation	`T1574` Hijack Execution Flow
Defense Evasion	`T1574` Hijack Execution Flow
Discovery	`T1082` System Information Discovery, `T1087` Account Discovery

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation
Security-Auditing	4688	A new process has been created.
Defender-DeviceProcessEvents	9001000	Process activity (any)

Stages and Predicates

Stage 1: `source`

DeviceProcessEvents

Stage 2: `where`

and
  or
    InitiatingProcessFileName in ["beasvc.exe", "httpd.exe", "w3wp.exe"]
    InitiatingProcessFileName starts_with "tomcat"
    InitiatingProcessParentFileName in ["beasvc.exe", "httpd.exe", "w3wp.exe"]
    InitiatingProcessParentFileName starts_with "tomcat"
  FileName in ["cmd.exe", "powershell.exe"]

Stage 3: `where`

or
  ProcessCommandLine contains "%temp%"
  ProcessCommandLine match "certutil"
  ProcessCommandLine match "ipconfig"
  ProcessCommandLine match "ping"
  ProcessCommandLine match "systeminfo"
  ProcessCommandLine match "timeout"
  ProcessCommandLine match "wget"
  ProcessCommandLine match "whoami"

Stage 4: `summarize`

Stage 5: `extend`

Stage 6: `extend`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`FileName`	in	`cmd.exe` `powershell.exe`
`InitiatingProcessFileName`	in	`beasvc.exe` `httpd.exe` `w3wp.exe`
`InitiatingProcessFileName`	starts_with	`tomcat`
`InitiatingProcessParentFileName`	in	`beasvc.exe` `httpd.exe` `w3wp.exe`
`InitiatingProcessParentFileName`	starts_with	`tomcat`
`ProcessCommandLine`	contains	`%temp%`
`ProcessCommandLine`	match	`certutil` corpus 5 (sigma 5) `ipconfig` `ping` corpus 4 (sigma 4) `systeminfo` `timeout` `wget` corpus 2 (sigma 2) `whoami`

Detect Suspicious Commands Initiated by Webserver Processes

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: where

Stage 3: where

Stage 4: summarize

Stage 5: extend