Unusual Child Process Execution from Linux Web Servers

hello@craftedsignal.io — Mon, 01 Jun 2026 16:46:51 +0000

Attackers may exploit vulnerabilities in web servers to gain initial access and establish persistence on compromised Linux systems. This involves leveraging web server processes to execute commands or scripts, often resulting in unusual child process executions. These child processes can be used to download malicious tools, execute system commands, or install backdoors under the web service context. Detecting these deviations from normal web server behavior is critical for identifying compromised systems. This detection focuses on Linux systems and a wide array of web server software.

Attack Chain

The attacker exploits a vulnerability in a public-facing web application (e.g., command injection, remote file inclusion).
The web server (e.g., Apache, Nginx) executes a malicious command or script as a child process.
The child process spawns a shell (e.g., bash, sh) or interpreter (e.g., python, perl) such as /bin/bash.
The shell downloads additional malicious tools or payloads from a remote server using utilities like curl or wget.
The downloaded payload is executed, establishing persistence on the system, such as adding a cron job.
The attacker leverages the established persistence to maintain access and perform further malicious activities.
The attacker attempts privilege escalation to gain root access.
The attacker establishes command and control (C2) communication to remotely control the compromised server.

Impact

Successful exploitation and persistence can lead to a wide range of impacts, including data theft, system compromise, and further lateral movement within the network. A compromised web server can be used to host malicious content, launch attacks against other systems, or exfiltrate sensitive data. The targeted sectors are broad, encompassing any organization that relies on web-based applications and services.

Recommendation

Deploy the Sigma rule Detect Unusual Child Processes of Web Servers to your SIEM to identify anomalous process executions originating from web server processes.
Investigate any alerts generated by the Detect Web Shell Activity via Process Monitoring Sigma rule to identify potential web shell deployments.
Implement regular vulnerability scanning and patching procedures to address potential web application vulnerabilities.
Review and harden web server configurations to minimize the attack surface and prevent unauthorized command execution.
Monitor network connections from web servers for suspicious outbound traffic to identify potential C2 communications.
Enable process monitoring and audit logging to capture detailed information about process executions and network connections, enabling comprehensive analysis of suspicious activities.

Suspicious Command Execution via Web Server on Linux

hello@craftedsignal.io — Mon, 01 Jun 2026 16:46:26 +0000

This detection identifies suspicious command executions originating from web server processes on Linux systems. Attackers may exploit vulnerabilities in web applications to execute commands, potentially leading to the deployment of backdoors for persistent access. The rule focuses on detecting shell commands executed by web server processes (e.g., nginx, Apache) that exhibit characteristics commonly associated with exploitation attempts, such as discovery commands, credential access, payload decoding, or reverse shell setup. This activity is anomalous because web servers typically do not need to spawn shell commands, thus warranting further investigation.

Attack Chain

An attacker identifies a vulnerability in a web application running on a Linux server.
The attacker crafts a malicious HTTP request to exploit the vulnerability, injecting a command into a vulnerable parameter or input field.
The web server process (e.g., nginx, Apache) executes the injected command via a shell interpreter (e.g., bash, sh).
The executed command performs reconnaissance activities, such as reading system files (/etc/passwd, /etc/shadow) or enumerating network configurations (/etc/hosts, /etc/resolv.conf).
The attacker leverages encoding techniques (e.g., base64) to obfuscate malicious payloads or commands within the exploited application.
The attacker establishes a reverse shell connection to an external attacker-controlled server using tools like netcat or socat.
The attacker modifies system files, such as cron jobs or SSH authorized keys, to establish persistence on the compromised system.
The attacker deploys a web shell or backdoor file in the web server’s document root, enabling future code execution.

Impact

A successful attack could lead to unauthorized access to sensitive data, system compromise, and persistent control of the web server. This may result in data breaches, service disruption, and further lateral movement within the compromised network. The severity depends on the exploited vulnerability and the attacker’s objectives.

Recommendation

Deploy the Sigma rule “Detect Suspicious Command Execution via Web Server” to your SIEM and tune for your environment.
Enable Elastic Defend integration to monitor process executions.
Review and harden web application configurations to prevent command injection vulnerabilities.
Implement strong input validation and output encoding mechanisms in web applications.
Regularly scan web applications for vulnerabilities and apply necessary patches.

Quarkus — CraftedSignal Threat Feed

Unusual Child Process Execution from Linux Web Servers

Attack Chain

Impact

Recommendation

Suspicious Command Execution via Web Server on Linux

Attack Chain

Impact

Recommendation