KQL Search

Query Details

HomeAI ToolsDevice Query

Linuxwebshell

Query

# Rule: Linux Webshell Indicators

## Description
Detects potential webshell activity by monitoring process events where suspicious processes associated with web servers and common system administration tools are executed.

- Source: [Sigma rule for Linux webshell detection](https://github.com/SigmaHQ/sigma/blob/0bb6f0c0d75ae3e1c37f9ab77d68f20cdb32ecd3/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml)

## Detection Logic
- Filters events to include process executions where:
  - Initiating process filenames include common web server executables (`httpd`, `lighttpd`, `nginx`, `apache2`, `node`, `caddy`).
  - Executed file names include common system administration tools (`whoami`, `ifconfig`, `ip`, `uname`, `cat`, `crontab`, `hostname`, `iptables`, `netstat`, `pwd`, `route`).
- Excludes events where:
  - The initiating process filename is `calico-node`.
  - The process command line includes `cat /proc/cpuinfo`.

## Tags
- Webshell Detection
- Process Events
- Linux

## Search Query
```kql
DeviceProcessEvents
| where InitiatingProcessFileName has_any ("httpd", "lighttpd", "nginx", "apache2", "node", "caddy")
| where FileName has_any ("whoami", "ifconfig", "ip", "uname", "cat", "crontab", "hostname", "iptables", "netstat", "pwd", "route")
| where InitiatingProcessFileName !contains "calico-node"
| where ProcessCommandLine !contains "cat /proc/cpuinfo"

Explanation

This query is designed to detect potential webshell activity on Linux systems by monitoring specific process events. Here's a simplified summary:

  1. Purpose: The query aims to identify suspicious activities that might indicate the presence of a webshell, a malicious script used to control a web server.

  2. How It Works:

    • Monitors Process Events: It looks at events where processes are executed.
    • Filters for Web Server Processes: It focuses on processes initiated by common web server software like httpd, nginx, apache2, etc.
    • Checks for System Administration Tools: It then checks if these web server processes are executing common system administration commands like whoami, ifconfig, uname, etc.

  3. Exclusions:

    • Specific Process Exclusion: It excludes events where the initiating process is calico-node.
    • Command Line Exclusion: It also excludes events where the command line includes cat /proc/cpuinfo.

  4. Tags: The query is tagged for webshell detection, process events, and Linux, indicating its focus areas.

Search Query Breakdown:

DeviceProcessEvents
| where InitiatingProcessFileName has_any ("httpd", "lighttpd", "nginx", "apache2", "node", "caddy")
| where FileName has_any ("whoami", "ifconfig", "ip", "uname", "cat", "crontab", "hostname", "iptables", "netstat", "pwd", "route")
| where InitiatingProcessFileName !contains "calico-node"
| where ProcessCommandLine !contains "cat /proc/cpuinfo"
  • First Line: Filters events to include only those initiated by common web server processes.
  • Second Line: Further filters to include only those events where the executed file is a common system administration tool.
  • Third Line: Excludes events where the initiating process is calico-node.
  • Fourth Line: Excludes events where the command line includes cat /proc/cpuinfo.

In essence, this query helps in identifying unusual activities that could suggest a webshell is being used to control the web server by executing system commands.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 8, 2024

Tables

DeviceProcessEvents

Keywords

DevicesLinuxProcessEvents

Operators

has_anycontains!contains

Actions