Uncommon Destination Port Connection by Web Server on Linux

This detection rule focuses on identifying potentially malicious activity stemming from Linux-based web servers. The rule is triggered when a web server process, such as Apache, Nginx, or others, initiates an outbound network connection to a destination port that is considered non-standard. This activity can signal the presence of a web shell, a malicious script uploaded to a web server to enable remote access and control. Attackers may exploit compromised web servers to establish covert communication channels, exfiltrate data, or launch further attacks on internal systems. The rule leverages data from Elastic Defend to monitor network connections and filter out legitimate traffic based on a predefined list of common ports and internal IP ranges.

Attack Chain

1. Initial access is gained via exploitation of a vulnerability in a web application or web server component running on a Linux system (e.g., through SQL injection or remote code execution).
2. A web shell is uploaded to the compromised web server, often disguised as a legitimate file or hidden within existing directories.
3. The attacker interacts with the web shell through HTTP requests, using it as a command and control interface.
4. The web shell executes commands on the server, initiating outbound network connections to non-standard ports.
5. These connections may be used to communicate with external C2 servers, download additional payloads, or exfiltrate sensitive data.
6. The attacker uses the web shell to move laterally within the network, targeting other systems and services.
7. The attacker attempts to establish persistence on the compromised server, ensuring continued access even after system reboots.
8. The final objective is data theft, system compromise, or disruption of services.

Impact

Compromised web servers can lead to significant data breaches, system downtime, and reputational damage. While this rule triggers on low-severity behavior, successful exploitation can lead to complete system compromise. The number of affected systems depends on the scope of the initial vulnerability and the attacker’s ability to move laterally. Organizations in all sectors that rely on web-based applications are potentially at risk.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect web server processes initiating connections to unusual destination ports and tune for your environment.
• Enable Elastic Defend integration to collect the necessary network event data from Linux endpoints to activate the rule.
• Review and customize the list of excluded destination ports and internal IP ranges in the Sigma rule to match your organization’s specific network configuration and legitimate traffic patterns.
• Investigate any alerts generated by the rule to determine if the activity is malicious or benign, focusing on the process name, user, destination IP, and destination port.