detection.wiki

Detection rules › Splunk

Web or Application Server Spawning a Shell

Author
Michael Haag, Nasreddine Bencherchali, Splunk
Source
upstream

The following analytic detects instances where Java, or Tomcat processes spawn a Linux shell, which may indicate exploitation attempts, such as those related to CVE-2021-44228 (Log4Shell). This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and parent-child process relationships. This activity is significant as it can signify a compromised Java application, potentially leading to unauthorized shell access. If confirmed malicious, attackers could execute arbitrary commands, escalate privileges, or maintain persistent access, posing a severe threat to the environment.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1133 External Remote Services, T1190 Exploit Public-Facing Application
PersistenceT1133 External Remote Services

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: tstats

tstats WHERE ((Processes.parent_process_name IN ("UMWorkerProcess.exe", "caddy.exe", "httpd.exe", "java.exe", "nginx.exe", "node.exe", "php*.exe", "php-cgi.exe", "tomcat*.exe", "w3wp.exe", "ws_TomcatService.exe") Processes.process_name IN ("WindowsTerminal.exe", "bash.exe", "cmd.exe", "cscript.exe", "mshta.exe", "powershell.exe", "powershell_ise.exe", "pwsh.exe", "sh.exe", "wscript.exe", "wt.exe")) OR (Processes.parent_process_name IN ("apache2", "caddy", "httpd", "java", "lighttpd", "nginx", "node", "tomcat*") Processes.process_name IN ("bash", "csh", "dash", "eshell", "fish", "ion", "ksh", "rbash", "sh", "tcsh", "zsh"))) BY Processes.action, Processes.dest, Processes.original_file_name, Processes.parent_process, Processes.parent_process_exec, Processes.parent_process_guid, Processes.parent_process_id, Processes.parent_process_name, Processes.parent_process_path, Processes.process, Processes.process_exec, Processes.process_guid, Processes.process_hash, Processes.process_id, Processes.process_integrity_level, Processes.process_name, Processes.process_path, Processes.user, Processes.user_id, Processes.vendor_product

Stage 2: search

search

Stage 3: search

search

Stage 4: search

search

Stage 5: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Processes.parent_process_namein
  • "UMWorkerProcess.exe"
  • "apache2"
  • "caddy"
  • "caddy.exe"
  • "httpd"
  • "httpd.exe"
  • "java"
  • "java.exe"
  • "lighttpd"
  • "nginx"
  • "nginx.exe"
  • "node"
  • "node.exe"
  • "php*.exe"
  • "php-cgi.exe"
  • "tomcat*"
  • "tomcat*.exe"
  • "w3wp.exe"
  • "ws_TomcatService.exe"
Processes.process_namein
  • "WindowsTerminal.exe"
  • "bash"
  • "bash.exe"
  • "cmd.exe" corpus 3 (splunk 3)
  • "cscript.exe" corpus 3 (splunk 3)
  • "csh"
  • "dash"
  • "eshell"
  • "fish"
  • "ion"
  • "ksh"
  • "mshta.exe" corpus 2 (splunk 2)
  • "powershell.exe" corpus 2 (splunk 2)
  • "powershell_ise.exe" corpus 2 (splunk 2)
  • "pwsh.exe" corpus 4 (splunk 4)
  • "rbash"
  • "sh"
  • "sh.exe"
  • "tcsh"
  • "wscript.exe" corpus 3 (splunk 3)
  • "wt.exe"
  • "zsh"