Suspicious Process By Web Server Process

Severity: high
Author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1190` Exploit Public-Facing Application
Persistence	`T1505.003` Server Software Component: Web Shell

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `1 of selection_webserver_image`

or:
ParentImage|endswith: '\UMWorkerProcess.exe'
ParentImage|endswith: '\caddy.exe'
ParentImage|endswith: '\httpd.exe'
ParentImage|endswith: '\nginx.exe'
ParentImage|endswith: '\php-cgi.exe'
ParentImage|endswith: '\php.exe'
ParentImage|endswith: '\tomcat.exe'
ParentImage|endswith: '\w3wp.exe'
ParentImage|endswith: '\ws_TomcatService.exe'

Stage 2: `1 of selection_webserver_characteristics_tomcat1`

or:
ParentImage|endswith: '\java.exe'
ParentImage|endswith: '\javaw.exe'
or:
ParentImage|contains: -tomcat-
ParentImage|contains: '\tomcat'

Stage 3: `1 of selection_webserver_characteristics_tomcat2`

or:
ParentCommandLine|contains: CATALINA_HOME
ParentCommandLine|contains: catalina.home
ParentCommandLine|contains: catalina.jar
or:
ParentImage|endswith: '\java.exe'
ParentImage|endswith: '\javaw.exe'

Stage 4: `selection_anomaly_children`

or:
Image|endswith: '\arp.exe'
Image|endswith: '\at.exe'
Image|endswith: '\bash.exe'
Image|endswith: '\bitsadmin.exe'
Image|endswith: '\certutil.exe'
Image|endswith: '\cmd.exe'
Image|endswith: '\cscript.exe'
Image|endswith: '\dsget.exe'
Image|endswith: '\hostname.exe'
Image|endswith: '\nbtstat.exe'
Image|endswith: '\net.exe'
Image|endswith: '\net1.exe'
Image|endswith: '\netdom.exe'
Image|endswith: '\netsh.exe'
Image|endswith: '\nltest.exe'
Image|endswith: '\ntdsutil.exe'
Image|endswith: '\powershell.exe'
Image|endswith: '\powershell_ise.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\qprocess.exe'
Image|endswith: '\query.exe'
Image|endswith: '\qwinsta.exe'
Image|endswith: '\reg.exe'
Image|endswith: '\rundll32.exe'
Image|endswith: '\sc.exe'
Image|endswith: '\sh.exe'
Image|endswith: '\wmic.exe'
Image|endswith: '\wscript.exe'
Image|endswith: '\wusa.exe'

Stage 5: `not 1 of filter_main_*`

or:
CommandLine|endswith: 'Windows\system32\cmd.exe /c C:\ManageEngine\ADManager "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt'
ParentImage|endswith: '\java.exe'
CommandLine|contains: 'ADManager Plus'
CommandLine|contains: 'sc query'
ParentImage|endswith: '\java.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	ends_with	`Windows\system32\cmd.exe /c C:\ManageEngine\ADManager "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt`
`CommandLine`	match	`ADManager Plus` `sc query`
`Image`	ends_with	`\arp.exe` corpus 3 (sigma 3) `\at.exe` corpus 2 (sigma 2) `\bash.exe` corpus 17 (sigma 17) `\bitsadmin.exe` corpus 23 (sigma 23) `\certutil.exe` corpus 34 (sigma 34) `\cmd.exe` corpus 92 (sigma 92) `\cscript.exe` corpus 64 (sigma 64) `\dsget.exe` `\hostname.exe` `\nbtstat.exe` `\net.exe` corpus 27 (sigma 27) `\net1.exe` corpus 25 (sigma 25) `\netdom.exe` `\netsh.exe` corpus 16 (sigma 16) `\nltest.exe` corpus 9 (sigma 9) `\ntdsutil.exe` corpus 4 (sigma 4) `\powershell.exe` corpus 143 (sigma 143) `\powershell_ise.exe` corpus 27 (sigma 27) `\pwsh.exe` corpus 140 (sigma 140) `\qprocess.exe` `\query.exe` corpus 5 (sigma 5) `\qwinsta.exe` corpus 2 (sigma 2) `\reg.exe` corpus 46 (sigma 46) `\rundll32.exe` corpus 76 (sigma 76) `\sc.exe` corpus 17 (sigma 17) `\sh.exe` corpus 13 (sigma 13) `\wmic.exe` corpus 37 (sigma 37) `\wscript.exe` corpus 64 (sigma 64) `\wusa.exe` corpus 3 (sigma 3)
`ParentCommandLine`	match	`CATALINA_HOME` `catalina.home` `catalina.jar`
`ParentImage`	ends_with	`\UMWorkerProcess.exe` `\caddy.exe` corpus 4 (sigma 4) `\httpd.exe` corpus 6 (sigma 6) `\java.exe` corpus 7 (sigma 7) `\javaw.exe` corpus 5 (sigma 5) `\nginx.exe` corpus 6 (sigma 6) `\php-cgi.exe` corpus 6 (sigma 6) `\php.exe` `\tomcat.exe` `\w3wp.exe` corpus 8 (sigma 8) `\ws_TomcatService.exe`
`ParentImage`	match	`-tomcat-` corpus 4 (sigma 4) `\tomcat` corpus 6 (sigma 6)

Suspicious Process By Web Server Process

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: 1 of selection_webserver_image

Stage 2: 1 of selection_webserver_characteristics_tomcat1

Stage 3: 1 of selection_webserver_characteristics_tomcat2