Unfamiliar process created by web application

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect shell utilities, HTTP utilities, or shells spawned by a web server.

Strategy

Web shell attacks often involve attackers loading and running malicious files onto a victim machine, creating a backdoor on the compromised system. Attackers use web shells for a variety of purposes, and they can signal the beginning of an intrusion or wider attack. This detection triggers when shell utilities, HTTP utilities, or shells are spawned by a common web server process.

This rule uses the New Value detection method. Datadog learns the historical behavior of a specified field in Agent logs and then creates a signal when unfamiliar values appear.

Requires Agent version 7.27 or later