Unusual Child Process Execution from Linux Web Servers

Attackers may exploit vulnerabilities in web servers to gain initial access and establish persistence on compromised Linux systems. This involves leveraging web server processes to execute commands or scripts, often resulting in unusual child process executions. These child processes can be used to download malicious tools, execute system commands, or install backdoors under the web service context. Detecting these deviations from normal web server behavior is critical for identifying compromised systems. This detection focuses on Linux systems and a wide array of web server software.

Attack Chain

1. The attacker exploits a vulnerability in a public-facing web application (e.g., command injection, remote file inclusion).
2. The web server (e.g., Apache, Nginx) executes a malicious command or script as a child process.
3. The child process spawns a shell (e.g., bash, sh) or interpreter (e.g., python, perl) such as /bin/bash.
4. The shell downloads additional malicious tools or payloads from a remote server using utilities like curl or wget.
5. The downloaded payload is executed, establishing persistence on the system, such as adding a cron job.
6. The attacker leverages the established persistence to maintain access and perform further malicious activities.
7. The attacker attempts privilege escalation to gain root access.
8. The attacker establishes command and control (C2) communication to remotely control the compromised server.

Impact

Successful exploitation and persistence can lead to a wide range of impacts, including data theft, system compromise, and further lateral movement within the network. A compromised web server can be used to host malicious content, launch attacks against other systems, or exfiltrate sensitive data. The targeted sectors are broad, encompassing any organization that relies on web-based applications and services.

Recommendation

• Deploy the Sigma rule Detect Unusual Child Processes of Web Servers to your SIEM to identify anomalous process executions originating from web server processes.
• Investigate any alerts generated by the Detect Web Shell Activity via Process Monitoring Sigma rule to identify potential web shell deployments.
• Implement regular vulnerability scanning and patching procedures to address potential web application vulnerabilities.
• Review and harden web server configurations to minimize the attack surface and prevent unauthorized command execution.
• Monitor network connections from web servers for suspicious outbound traffic to identify potential C2 communications.
• Enable process monitoring and audit logging to capture detailed information about process executions and network connections, enabling comprehensive analysis of suspicious activities.