Gerrit — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/vendors/gerrit/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 01 Jun 2026 16:46:26 +0000Suspicious Command Execution via Web Server on Linuxhttps://feed.craftedsignal.io/briefs/2026-06-persistence-webserver-command-execution/Mon, 01 Jun 2026 16:46:26 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-06-persistence-webserver-command-execution/Identifies suspicious command executions via a web server on Linux systems, which may suggest a vulnerability and remote shell access.This detection identifies suspicious command executions originating from web server processes on Linux systems. Attackers may exploit vulnerabilities in web applications to execute commands, potentially leading to the deployment of backdoors for persistent access. The rule focuses on detecting shell commands executed by web server processes (e.g., nginx, Apache) that exhibit characteristics commonly associated with exploitation attempts, such as discovery commands, credential access, payload decoding, or reverse shell setup. This activity is anomalous because web servers typically do not need to spawn shell commands, thus warranting further investigation.

Attack Chain

  1. An attacker identifies a vulnerability in a web application running on a Linux server.
  2. The attacker crafts a malicious HTTP request to exploit the vulnerability, injecting a command into a vulnerable parameter or input field.
  3. The web server process (e.g., nginx, Apache) executes the injected command via a shell interpreter (e.g., bash, sh).
  4. The executed command performs reconnaissance activities, such as reading system files (/etc/passwd, /etc/shadow) or enumerating network configurations (/etc/hosts, /etc/resolv.conf).
  5. The attacker leverages encoding techniques (e.g., base64) to obfuscate malicious payloads or commands within the exploited application.
  6. The attacker establishes a reverse shell connection to an external attacker-controlled server using tools like netcat or socat.
  7. The attacker modifies system files, such as cron jobs or SSH authorized keys, to establish persistence on the compromised system.
  8. The attacker deploys a web shell or backdoor file in the web server’s document root, enabling future code execution.

Impact

A successful attack could lead to unauthorized access to sensitive data, system compromise, and persistent control of the web server. This may result in data breaches, service disruption, and further lateral movement within the compromised network. The severity depends on the exploited vulnerability and the attacker’s objectives.

Recommendation

  • Deploy the Sigma rule “Detect Suspicious Command Execution via Web Server” to your SIEM and tune for your environment.
  • Enable Elastic Defend integration to monitor process executions.
  • Review and harden web application configurations to prevent command injection vulnerabilities.
  • Implement strong input validation and output encoding mechanisms in web applications.
  • Regularly scan web applications for vulnerabilities and apply necessary patches.
]]>mediumthreatpersistenceinitial-accessvulnerabilitylinux