Web application RCE compromise detected

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1059-command-and-scripting-interpreter

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect web application compromise and remote code execution (RCE) by correlating web shell execution, advanced shell techniques, network activity, and credential access within the same execution context.

Strategy

This correlation rule identifies web application RCE operations by detecting combinations of the following activity groups:

  • Web Shell Execution: Shells spawned from web-facing applications (for example, potential web shell parent, database shell, Java/Jupyter/PHP shell execution, webdriver/cups/systemd spawned shell)
  • Shell Techniques: Python/Perl CLI code execution, netcat/socat/openssl backdoor shells, or similar post-exploitation shell methods
  • Network Activity: Network utilities in container, file download tools, unusual requests, or shell-initiated network connections
  • Credential Access: Credential finders, cloud IMDS (AWS, Azure, GCP), AWS CLI usage, kubeconfig reads, or EKS service account token access

The rule triggers different severity levels based on the combination of detected activities:

CaseSeverityCondition
Full Web Application CompromiseCriticalWeb Shell Execution, (Shell Techniques or Network Activity), and Credential Access
Web Shell with Credential Theft (interactive)HighWeb Shell Execution and Credential Access (interactive session)
Web Shell with Network Activity (interactive)HighWeb Shell Execution and Network Activity (interactive session)
Web Shell with Credential TheftMediumWeb Shell Execution and Credential Access
Web Shell with Network ActivityMediumWeb Shell Execution and Network Activity
Shell Execution DetectedMediumWeb Shell Execution and Shell Techniques

Triage & Response

  1. Isolate the web application: Immediately disconnect the affected web application host from the network.

  2. Terminate shell sessions: Stop shell process(es) spawned by the web application process(es).

  3. Analyze web shell commands: Review executed commands from process arguments and TTY.

  4. Check credential access: Investigate any accessed credential files, cloud metadata services, or Kubernetes configurations.

  5. Review network communications: Analyze connections for command and control activity.

  6. Examine web application logs: Identify the exploitation vector (for example, SQL injection, file upload) used to gain initial access.

  7. Hunt for additional web shells: Search for other web shells, backdoors, or modified web application files.

  8. Reset compromised credentials: Reset any credentials that may have been accessed.

  9. Patch and harden: Fix the web application vulnerability and implement additional security controls.