Web Shell Activity Detection via Process Monitoring
This brief focuses on detecting malicious activity related to web shells on Windows systems by identifying the execution of command interpreters and scripting engines as child processes of common web server processes, potentially indicating unauthorized command execution and persistent access.
Web shells are malicious scripts placed on web servers to provide attackers with remote access and control. This threat brief addresses the detection of web shell activity on Windows servers, focusing on the execution of command interpreters and scripting engines (e.g., cmd.exe, powershell.exe, cscript.exe) as child processes of web server processes (e.g., w3wp.exe, httpd.exe, nginx.exe). The initial access vector is typically exploitation of a public-facing application. This activity allows threat actors to execute commands, upload/download files, and potentially pivot deeper into the network. The timeframe of interest is ongoing, as web shells remain a popular method for maintaining persistence in compromised environments. The scope of targeting is broad, as any vulnerable web server is susceptible to web shell placement and subsequent exploitation.
Attack Chain
- Initial Compromise: A web server is compromised through the exploitation of a vulnerability in a public-facing web application (e.g., unpatched software, SQL injection).
- Web Shell Upload: The attacker uploads a malicious script (e.g., PHP, ASPX) to a publicly accessible directory on the web server.
- Web Shell Execution: The attacker accesses the web shell through a web browser, triggering its execution on the server.
- Command Execution: The web shell executes commands by spawning a command interpreter such as
cmd.exeorpowershell.exe. - Privilege Escalation: The attacker attempts to elevate privileges using exploits or by leveraging misconfigurations.
- Lateral Movement: The attacker uses the compromised web server as a pivot point to access other systems on the network.
- Data Exfiltration: The attacker exfiltrates sensitive data from the compromised network.
- Persistence: The attacker establishes persistence by creating new user accounts or modifying existing ones, or by planting additional web shells.
Impact
A successful web shell attack can result in complete compromise of the web server and potentially the entire network. This can lead to data breaches, financial losses, reputational damage, and disruption of services. The number of potential victims is large, as web servers are ubiquitous and often targeted by attackers. Specific sectors at risk include e-commerce, finance, healthcare, and government.
Recommendation
- Deploy the "Web Shell Detection: Script Process Child of Common Web Processes" Sigma rule to your SIEM and tune it for your environment to detect command execution via web shells.
- Enable Sysmon process creation logging to capture process start events and command-line arguments, as required by the provided Sigma rules.
- Implement a web application firewall (WAF) to prevent the initial exploitation of web application vulnerabilities.
- Regularly scan web applications for vulnerabilities and apply patches promptly to prevent initial access.
- Monitor network connections originating from web servers for suspicious outbound traffic, which may indicate command and control activity.
Detection coverage 2
Web Shell Detection: Script Process Child of Common Web Processes
highDetects command interpreters (cmd.exe, powershell.exe) spawned by common web server processes (w3wp.exe, httpd.exe, nginx.exe), indicating potential web shell activity.
Web Shell Detection: PowerShell Execution from Web Server
mediumDetects PowerShell execution as a child process of a web server, which is often indicative of web shell activity.
Detection queries are available on the platform. Get full rules →