Loading

Web Shell Detection: Script Process Child of Common Web Processes

Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.

Rule type: new_terms
Rule indices:

  • endgame-*
  • logs-crowdstrike.fdr*
  • logs-endpoint.events.process-*
  • logs-m365_defender.event-*
  • logs-sentinel_one_cloud_funnel.*
  • logs-system.security*
  • logs-windows.sysmon_operational-*
  • winlogbeat-*

Rule Severity: high
Risk Score: 73
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Persistence
  • Resources: Investigation Guide
  • Data Source: Elastic Endgame
  • Data Source: Elastic Defend
  • Data Source: SentinelOne
  • Data Source: Windows Security Event Logs
  • Data Source: Microsoft Defender XDR
  • Data Source: Sysmon
  • Data Source: Crowdstrike

Version: 424
Rule authors:

  • Elastic

Rule license: Elastic License v2

This rule is designed for data generated by Elastic Defend, which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.

Setup instructions: https://ela.st/install-elastic-defend

This rule also supports the following third-party data sources. For setup instructions, refer to the links below:

  • What execution path did the alert capture?
    • Focus: child process.executable / process.command_line; web-parent process.parent.name, process.parent.executable, and process.parent.command_line for IIS/Apache/nginx/PHP CGI/Tomcat/ArcGIS.
    • Implication: escalate when a web-facing parent launches a shell, script host, downloader, archive tool, or admin utility outside bounded tasks; lower only when parent context, child path, and command match one exact deployment, health-check, log rotation, or support task.
  • Is the child command administration or post-exploitation?
    • Focus: process.command_line: WMIC, download cradles, archive creation, account/system discovery, service control, credential access, script-host flags, or web-root/temp/backup/app-content paths.
    • Hint: for PowerShell, reconstruct script blocks by host.id and process.pid via powershell.file.script_block_text, powershell.sequence, and powershell.total; missing PowerShell telemetry is unresolved, not benign.
    • Implication: escalate when the command stages payloads, runs discovery, creates accounts, changes services, or writes to web-accessible or temp paths; lower suspicion when bounded to one recognized deployment, health-check, log rotation, or support task.
  • Is user context human admin or service identity?
    • Why: web-process children often inherit app-pool or service identity; user.id, user.name, and user.domain do not prove human initiation.
    • Focus: @timestamp, user.id, user.name, process.Ext.session_info.logon_type, and process.parent.command_line.
    • Implication: escalate when service or network logon context launches interactive troubleshooting, remote administration, or off-hours shell activity without a matching window; lower suspicion when identity, logon type, parent pool/service, and command scope fit one exact workflow.
  • Does child binary identity fit its command?
    • Focus: process.executable, process.pe.original_file_name, process.hash.sha256, process.code_signature.subject_name, and process.code_signature.trusted.
    • Implication: escalate when the child is renamed, unsigned/untrusted, user-writable, or mismatched to original file name; lower suspicion when identity and path match stable tooling, but continue because trusted binaries can carry web-shell commands.
  • Did file telemetry show web-shell placement, staging, or config changes?
    • Focus: if file telemetry exists, review host.id file events for child process.entity_id or process.pid, checking file.path, file.Ext.original.path, and file.Ext.windows.zone_identifier. $investigate_1
    • Hint: web-root script writes without later child starts are adjacent-variant evidence; if the child writes a script or executable, query starts where process.executable equals that path on same host.id.
    • Implication: escalate when the child writes ASPX, ASP, PHP, JSP, JS, BAT, PS1, EXE, DLL, JAR, WAR, or archives to web-accessible/temp/user-writable paths, or a written artifact later executes; missing file telemetry is unresolved, not benign, and absence does not close.
  • Did the child launch second-stage processes?
    • Focus: child starts on host.id where process.parent.entity_id equals child process.entity_id, checking process.executable, process.command_line, and process.hash.sha256. $investigate_2
    • Implication: escalate when descendants include shells, script hosts, downloaders, archive tools, credential utilities, service control, or persistence tooling; absence only narrows impact when command, file, network, and related alerts also fit a benign workflow.
  • Did DNS/network telemetry show retrieval or control?
    • Focus: if DNS/network telemetry exists, review child process.entity_id events on host.id, separating dns.question.name / dns.resolved_ip from destination.ip / destination.port; compare role with command intent. $investigate_3
    • Hint: map DNS results to later connection IPs before linking query and connection; if a third-party alert lacks process.entity_id, recover the child by host.id, process.pid, and @timestamp. Missing network/DNS telemetry is unresolved, not benign.
    • Implication: escalate when the child retrieves tools from public infrastructure, reaches rare/misaligned destinations, or connects outside web-server administration; decide from alert-local process evidence and corroboration when DNS/network telemetry is unavailable.
  • Do related alerts show broader compromise?
    • Focus: same-web-parent starts and 48h host.id alerts for web-shell, credential-access, discovery, archive, lateral-movement, persistence, or anti-forensics.
      • $investigate_4
      • $investigate_0
    • Implication: escalate scope when alerts cluster around the same server role, child command family, or staged artifacts; absence only narrows response scope when local parent-child, command, identity, file, and network evidence are explained.
  • What disposition fits?
    • Implication: escalate on unexplained server-side execution, exploit-like command intent, suspicious child identity, payload staging, rare destinations, or broader compromise; do not wait for optional pivots when alert-local process evidence is unsafe. Close only when same-host alert-window telemetry proves one exact benign web-server workflow; use outside confirmation for legitimacy gaps. If evidence is mixed or visibility incomplete, preserve artifacts and escalate.
  • Web deployment, post-install validation, health checks, vendor extension install, ArcGIS publishing, or maintenance can spawn "cmd.exe", PowerShell, or "wscript.exe" from web components. Confirm only when parent, child, command, service identity, and artifact/destination evidence describe the same alert-window workflow with no unexpected web-content writes, rare callbacks, or contradictions.
  • If telemetry proves shape but not legitimacy, require matching change, deployment, runbook, vendor, or owner confirmation; use prior occurrences post-closure to test exception stability.
  • Build exceptions from minimum confirmed pattern: web parent command, child executable/hash/signature, command line, user.id, host.id, and bounded content path or destination when decisive. Avoid parent name, process.name, or host.id alone.
  • If confirmed benign, reverse temporary containment, document exact parent, child, command, service identity, artifact/destination evidence, and confirmation, and create exceptions only from that pattern.
  • If suspicious but unconfirmed, preserve the alert/export, process tree, child/parent entity IDs, command lines, hash, staged-file copies, destinations, related alerts, and web/app logs around @timestamp before containment or cleanup.
  • Apply reversible containment tied to evidence: block confirmed malicious destinations, restrict affected site/app access, disable exposed extension or virtual directory, or increase host.id monitoring. Isolate only when evidence and server criticality permit.
  • If confirmed malicious, contain the host or terminate the child only after preservation; if direct response is unavailable, escalate with process/artifact/destination/server-log evidence to the team that can contain the server, disable the exposed path, or stop the service.
  • Before deletion/restoration, hunt for the same hash, child command, staged path, domain, IP, and port across hosts/accounts. Then remove web shells, scripts, archives, scheduled tasks, dropped utilities, and persistence; restore known-good content/config; rotate exposed service, app, or admin credentials if secrets may be exposed.
  • After containment, patch the implicated app, extension, framework, or server component; review the internet-exposed site/service that launched the child; retain endpoint, network, and web logs; document script-only variants or logging gaps.
host.os.type:windows and event.category:process and event.type:start and process.args : * and
  process.parent.name:("w3wp.exe" or "httpd.exe" or "nginx.exe" or "php.exe" or "php-cgi.exe" or "tomcat.exe" or "ArcSOC.exe") and
  (
    process.name : ("cmd.exe" or "cscript.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "wmic.exe" or "wscript.exe") or
    process.name.caseless : ("cmd.exe" or "cscript.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "wmic.exe" or "wscript.exe")
  ) and
  not
  (
    process.command_line : (
      "cmd.exe /c mode CON" or
      "cmd.exe /s /c \"mode CON\"" or
      "cmd.exe /c \"mode\"" or
      "cmd.exe /s /c \"tput colors 2>&1\"" or
      "cmd.exe /s /c \"stty 2> NUL\"" or
      "cmd.exe /s /c \"stty 2>&1\"" or
      "cmd.exe /c \"stty 2>&1\"" or
      "cmd.exe /s /c \"ipconfig /all 2>&1\"" or
      "cmd.exe /s /c \"echo '%os%'\"" or
      *.\\install\\awk.exe*
    ) or
    process.args : (\(git or (*artisan* and *queue\:work*) or *rmdir* or "mode CON" or ver or ls or mode or dir) or

    (process.name:cmd.exe and process.parent.args : "c:\\\\xampp\\\\htdocs\\\\open-audit\\\\index.php") or

    (process.name:cmd.exe and process.args:("/V:ON" and "--header-html")) or

    (process.parent.args:"WebCession" and process.args:E\:\\Data\\CLM\\cession\\*.bat) or

    (process.parent.executable :"D:\\AiDKlinik\\php\\php-cgi.exe" and process.args:D\:\\AiDKlinik\\web*) or

    (process.parent.args :"E:/wamp64/bin/apache/apache2.4.62.1" and process.args:node*) or

    (process.parent.name:"php.exe" and process.name:"cmd.exe" and process.args:("/V:ON" and "/E:ON"))
  )

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK