{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/web_shell/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["persistence","execution","command_and_control","web_shell","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies unusual outbound network connections initiated by web server processes on Linux systems. The rule is designed to detect potential web shell activity or unauthorized communication from a web server process to external systems. It works by monitoring egress connections from web server processes to non-standard ports, excluding common local IP ranges. This aims to highlight potential threats such as web shells or data exfiltration attempts originating from compromised web servers. The processes monitored include common web server applications like Apache, Nginx, and associated scripting environments. The rule focuses on identifying deviations from typical web server behavior to help defenders quickly identify potentially malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux web server, potentially through exploiting a vulnerability in a web application.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys a web shell (e.g., using PHP, Python, or Perl) to a publicly accessible directory on the web server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell to execute commands on the server, often using a scripting interpreter like bash or sh.\u003c/li\u003e\n\u003cli\u003eThe web shell initiates a network connection to an external IP address on an uncommon destination port (i.e., not 80, 443, etc.).\u003c/li\u003e\n\u003cli\u003eThis outbound connection bypasses standard web server traffic and may be used for command and control or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker may use this connection to download additional tools or exfiltrate sensitive data from the compromised server.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to establish persistence by modifying web server configuration files or creating cron jobs.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is to maintain unauthorized access to the server and potentially pivot to other systems on the network or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised web servers can lead to significant data breaches, service disruptions, and reputational damage. If an attacker successfully deploys a web shell and initiates unauthorized outbound connections, they can exfiltrate sensitive data, install malware, or use the compromised server as a staging point for further attacks. The impact can range from a minor inconvenience to a major security incident, depending on the sensitivity of the data stored on the server and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Uncommon Destination Port Connection by Linux Web Server\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend integration to collect the necessary network event data.\u003c/li\u003e\n\u003cli\u003eReview and allowlist legitimate administrative tasks or maintenance scripts that may trigger alerts by connecting to non-standard ports as mentioned in the false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by this rule promptly by reviewing the process name, user, destination IP address, and destination port.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the web server\u0026rsquo;s access to critical systems and data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-01T15:44:41Z","date_published":"2026-06-01T15:44:41Z","id":"https://feed.craftedsignal.io/briefs/2026-06-uncommon-web-server-port/","summary":"This rule identifies unusual destination port network activity originating from a web server process on Linux systems, indicating potential web shell activity or unauthorized communication from a web server process to external systems by detecting egress connections from web server processes to non-standard ports while excluding common local IP ranges.","title":"Uncommon Destination Port Connection by Linux Web Server","url":"https://feed.craftedsignal.io/briefs/2026-06-uncommon-web-server-port/"}],"language":"en","title":"CraftedSignal Threat Feed — Web_shell","version":"https://jsonfeed.org/version/1.1"}