<  Back to rules search

Webapp process spawned unusual shell/utility


Detect common shell utilities, HTTP utilities, or shells spawned by a language engine (like python or php) or web servers (like nginx).


Web shell attacks often involve attackers loading and running malicious files onto a victim machine, creating a backdoor on the compromised system. Attackers use web shells for a variety of purposes, and they can signal the beginning of an intrusion or wider attack. This detection triggers when common shell utilities, HTTP utilities, or shells are spawned by one of a set of common web servers or language engines (for example, as a part of your web application) in a manner that has not be recently observed in the environment previously. The detection has a learning period where it will identify any common child processes of a web server or languange engine, and then identify when an unusual child process is observed. If this is unexpected behavior, it could indicate an attacker attempting to use an existing web shell or install one.

Triage and response

  1. Determine whether or not there is an approved purpose for your web application to execute shells and utilities.
  2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization’s internal processes for investigating and remediating compromised systems.
  3. Find and repair the root cause of the exploit.

Requires Agent version 7.27 or greater