Webshell Detection Suspicious Children

Rule Info

Name
Webshell Detection Suspicious Children
Author
Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects suspicious child processes spawned by web server processes based on image names and command line contents. Typically, webshells do not generate unusual Windows processes. If such processes are detected, it may indicate that a vulnerability in the software hosted on the web server has been exploited for remote code execution (RCE).
Reference
https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
Date
2022-03-22 00:00:00
Modified
2025-02-24 00:00:00
Id
9a8e8057-32a7-432d-bf80-197dacf1a77f
Tags
attack.persistence attack.t1505.003 attack.t1018 attack.t1033 attack.t1087
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022