Detection of PHP Web Shells with SIGMA
We will alert on shell commands executed on behalf of Web Server by monitoring of Audit Deamon logs. In prequel article, we followed multiple log sources with the goal to detect WebShell actions on the server. See article below:
There we found that Audit Deamon log is the most reliable source for detection of WebShell activity. Now we will proceed to the creation of SIGMA rule. SIGMA Rule repository already contains similar AuditD rule called “lnx_auditd_susp_exe_folders” triggering on SYSCALL EXE from non-standard folders. This rule is not matching WebShell activity because EXE path is exe=”/bin/dash” what cannot be considered as non-standard.
Audit log related to WebShell activity:
type=SYSCALL msg=audit(1556784901.674:142): arch=c000003e syscall=59 success=yes exit=0 a0=7f70bd6b3e9a a1=7ffeecd0c550 a2=7ffeecd0f348 a3=1 items=2 ppid=1225 pid=1930 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="sh" exe="/bin/dash" key="auditcmd"Interesting parameters we want to include in the rule are bold. SIGMA rule:
title: Detects Executions on Behalf of Web Server
status: experimental
description: Detects shell commands execution by Web Server
references:
- 'Internal Research - mostly derived from observing web shell artefacts'
date: 2019/05/02
author: Peter Matkovski
logsource:
product: linux
service: auditd
detection:
cmd:
- type: 'SYSCALL'
success: 'yes'
uid: '33'
tty: '(none)'
comm: 'sh'
exe: '/bin/dash'
condition: cmd
falsepositives:
- Crazy Web Applications
level: mediumTesting the rule converted to Splunk by https://uncoder.io:
Rule code and description was upload to public Github repo.
END
