lnx_auditd_susp_exe_webserver.yml

title: Detects Executions on Behalf of Web Server
status: experimental
description: Purpose of this rule is to detect post exploitation techniques by monitoring of shell commands on behalf of Web Server like Apache and Nginx. Web Server is usually running as user UID=33 without assigned tty.
references:
    - 'Internal Research - mostly derived from observing web shell artefacts. https://github.com/petermat/sigma-rules-contribution/blob/master/lnx_auditd_susp_exe_webserver.md'
tags:
    - attack.s0003
    - attack.t1100
    - attack.persistence
    - attack.privilege_escalation
date: 2019/05/02
author: Peter Matkovski
logsource:
    product: linux
    service: auditd
detection:
    cmd:
        - type: 'SYSCALL'
          success: 'yes'
          uid: '33'
          tty: '(none)'
          comm: 'sh'
          exe: '/bin/dash'
    condition: cmd
falsepositives:
    - Crazy Web Applications 
level: medium