Unusual Child Execution via Web Server

This detection rule identifies unusual child processes spawned from web server processes on Linux systems. Attackers frequently target web servers to establish persistence within a compromised environment. Due to the commonality of child processes initiated by web servers, this rule utilizes a “new_terms” approach to highlight deviations from typical behavior. This is achieved by monitoring process execution events and comparing them against a baseline of known-good activity. This approach helps defenders identify potentially malicious activity that might otherwise be missed using traditional signature-based detection methods. The rule focuses on identifying processes that are not typically associated with legitimate web server operations.

Attack Chain

1. An attacker gains initial access to a Linux system via a vulnerability (e.g., CVE-XXXX) in a public-facing web application.
2. The attacker leverages the exploited web application to execute commands on the underlying server.
3. The attacker establishes persistence by creating a web shell or modifying existing web server configuration files.
4. The attacker uses the web shell to execute arbitrary commands, such as downloading malicious tools or creating new user accounts.
5. The web server process spawns an unusual child process, such as a reverse shell or a script interpreter (e.g., bash, python).
6. The child process establishes a connection to an external command and control (C2) server.
7. The attacker uses the C2 channel to further compromise the system, potentially escalating privileges and moving laterally within the network.
8. The attacker achieves their objective, such as data exfiltration or deploying ransomware.

Impact

Successful exploitation can lead to persistent access within the targeted environment, allowing attackers to maintain control over compromised systems. This can result in data breaches, system downtime, and further propagation of malicious activity within the network. The impact is amplified by the widespread use of Linux-based web servers across various industries, making this a relevant threat for a broad range of organizations.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect unusual child process executions originating from web servers.
• Investigate any alerts generated by the Sigma rule to determine if they are indicative of malicious activity.
• Review web server configurations for unauthorized modifications or the presence of web shells.
• Monitor network connections originating from web server processes for suspicious outbound traffic.
• Ensure that all web server software is up-to-date with the latest security patches to mitigate known vulnerabilities.
• Implement strong access controls and monitoring to prevent unauthorized access to web server configuration files.