Webshell Detection Suspicious Children

Rule Info

Name
Webshell Detection Suspicious Children
Author
Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects suspicious child processes spawned by web server processes based on image names and command line contents. Typically, webshells do not generate unusual Windows processes. If such processes are detected, it may indicate that a vulnerability in the software hosted on the web server has been exploited for remote code execution (RCE).
Date
2022-03-22 00:00:00
Modified
2025-02-24 00:00:00
Id
9a8e8057-32a7-432d-bf80-197dacf1a77f
Tags
attack.persistence attack.t1505.003 attack.t1018 attack.t1033 attack.t1087
Type
Nextron Sigma feed only (private)

Rule History