Possible webshell on the endpoint
Webshell Detection
Query
let webservers = dynamic(["beasvc.exe", "coldfusion.exe", "httpd.exe", "owstimer.exe", "visualsvnserver.exe", "w3wp.exe", "tomcat", "apache2", "nginx"]);
let linuxShells = dynamic(["/bin/bash", "/bin/sh", "python", "python3"]);
let windowsShells = dynamic(["powershell.exe", "powershell_ise.exe", "cmd.exe"]);
let exclusions = dynamic(["csc.exe", "php-cgi.exe", "vbc.exe", "conhost.exe"]);
DeviceProcessEvents
| where (InitiatingProcessParentFileName in~(webservers) or InitiatingProcessCommandLine in~(webservers))
| where (InitiatingProcessFileName in~(windowsShells) or InitiatingProcessCommandLine has_any(linuxShells))
| where FileName !in~ (exclusions)
| extend Reason = iff(InitiatingProcessParentFileName in~ (webservers), "Suspicious web shell execution", "Suspicious webserver process")
| summarize by FileName, DeviceName, Reason, InitiatingProcessParentFileName, InitiatingProcessCommandLineAbout this query
Explanation
This query is designed to detect potential web shell activity on servers, which is a common technique used by attackers to gain unauthorized access and control over a server. Here's a simple breakdown of what the query does:
-
Identify Web Server Processes: The query starts by defining a list of common web server processes, such as
w3wp.exe(IIS),httpd.exe(Apache), and others likenginxandtomcat. -
Identify Shell Processes: It also defines lists of shell processes for both Windows (e.g.,
powershell.exe,cmd.exe) and Linux (e.g.,/bin/bash,python). -
Exclude Certain Processes: Some processes are excluded from consideration, such as
csc.exeandphp-cgi.exe, which are not typically associated with malicious activity in this context. -
Filter Events: The query looks at device process events to find instances where a web server process initiates a shell process. This is unusual behavior because web servers typically do not start shell processes unless something suspicious is happening.
-
Exclude Non-Suspicious Activity: It ensures that the processes being flagged are not part of the excluded list, which helps reduce false positives.
-
Label Suspicious Activity: If such activity is detected, it labels it as either "Suspicious web shell execution" or "Suspicious webserver process" based on the initiating process.
-
Summarize Results: Finally, it summarizes the findings by listing the file name, device name, reason for suspicion, and details about the initiating process.
This query is useful for security analysts to identify and investigate potential web shell attacks, which can be a significant security risk if not addressed promptly.
