Unfamiliar process created by web application

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1190-exploit-public-facing-application

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect shell utilities, HTTP utilities, or shells spawned by a web server.

Strategy

Web shell attacks often involve attackers loading and running malicious files onto a victim machine, creating a backdoor on the compromised system. Attackers use web shells for a variety of purposes, and they can signal the beginning of an intrusion or wider attack. This detection triggers when shell utilities, HTTP utilities, or shells are spawned by a common web server process.

This rule uses the New Value detection method. Datadog learns the historical behavior of a specified field in Agent logs and then creates a signal when unfamiliar values appear.

Requires Agent version 7.27 or later

PREVIEWING: Cyril-Bouchiat/add-vm-package-explorer-doc