{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/os-linux/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Elastic Defend for Containers"],"_cs_severities":["high"],"_cs_tags":["Data Source: Elastic Defend for Containers","Domain: Container","OS: Linux","Use Case: Threat Detection","Tactic: Persistence","Tactic: Execution","Tactic: Command and Control","Resources: Investigation Guide"],"_cs_type":"threat","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule, sourced from Elastic\u0026rsquo;s detection rules repository and designed for use with Elastic Defend for Containers, identifies potential web server exploitation attempts. The rule focuses on detecting suspicious processes spawned by web server user accounts within containers. This can be indicative of attackers uploading web shells or exploiting remote command execution vulnerabilities to maintain access. The rule specifically looks for parent processes like nginx, apache2, or php-fpm executing shell commands with suspicious arguments. The rule was initially created on 2026/02/06 and updated on 2026/06/01, with a minimum stack version of 9.3.0, when Defend for Containers integration was reintroduced. It is important for defenders to monitor such activity as it can lead to persistence, lateral movement, and further compromise within the containerized environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: Attacker gains initial access to the web server, potentially through a vulnerability such as remote code execution (RCE) or by exploiting weak credentials.\u003c/li\u003e\n\u003cli\u003eWeb Shell Upload: The attacker uploads a web shell (e.g., PHP shell) to a publicly accessible directory on the web server.\u003c/li\u003e\n\u003cli\u003eCommand Execution: The attacker uses the web shell to execute commands on the server, often using a web-service account.\u003c/li\u003e\n\u003cli\u003eSuspicious Process Spawn: The web server process spawns a shell process (e.g., bash, sh) with suspicious arguments, such as those used for reverse shells, file manipulation, or credential access.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence by creating cron jobs or modifying system files.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the compromised server as a pivot point to move laterally within the network, potentially targeting other containers or hosts.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The attacker establishes a command and control (C2) channel with an external server to remotely control the compromised system.\u003c/li\u003e\n\u003cli\u003eData Exfiltration/System Damage: The attacker exfiltrates sensitive data or causes damage to the system, depending on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of web servers can lead to a range of negative consequences, including data breaches, system compromise, and financial losses. Attackers can use compromised web servers to steal sensitive data, launch attacks on other systems, or disrupt business operations. The potential impact is significant, particularly for organizations that rely on web applications to conduct business. The severity is rated high due to the potential for significant damage and the relative ease with which such attacks can be carried out.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Web Server Exploitation Detected via Defend for Containers\u0026rdquo; EQL rule to your Elastic Stack instance to detect suspicious process execution by web servers.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend for Containers with a minimum stack version of 9.3.0 to collect the necessary data for the rule to function.\u003c/li\u003e\n\u003cli\u003ePrioritize investigation of alerts generated by the rule with a risk score of 73, particularly those involving reverse shells, file access, or credential access, as indicated in the rule\u0026rsquo;s \u003ccode\u003equery\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview and tune the rule\u0026rsquo;s \u003ccode\u003equery\u003c/code\u003e to reduce false positives based on your specific environment and application configurations, as described in the \u0026ldquo;False positive analysis\u0026rdquo; section of the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and egress filtering to limit the potential impact of compromised containers, as suggested in the \u0026ldquo;Response and remediation\u0026rdquo; section of the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-01T15:48:08Z","date_published":"2026-06-01T15:48:08Z","id":"https://feed.craftedsignal.io/briefs/2026-06-suspicious-webserver-child-process/","summary":"This rule detects the exploitation of a web server through the execution of a suspicious process by common web server user accounts within a containerized environment, potentially indicating the uploading of a web shell to maintain system access, and covers persistence, execution, and command and control tactics.","title":"Suspicious Web Server Child Process Execution via Elastic Defend for Containers","url":"https://feed.craftedsignal.io/briefs/2026-06-suspicious-webserver-child-process/"}],"language":"en","title":"CraftedSignal Threat Feed — OS: Linux","version":"https://jsonfeed.org/version/1.1"}