Unfamiliar process created by web application

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1190-exploit-public-facing-application

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect shell utilities, HTTP utilities, or shells spawned by a web server.

Strategy

Web shell attacks often involve attackers loading and running malicious files onto a victim machine, creating a backdoor on the compromised system. Attackers use web shells for a variety of purposes, and they can signal the beginning of an intrusion or wider attack. This detection triggers when shell utilities, HTTP utilities, or shells are spawned by a common web server process.

This rule uses the New Value detection method. Datadog learns the historical behavior of a specified field in Agent logs and then creates a signal when unfamiliar values appear.

Requires Agent version 7.27 or later

PREVIEWING: rtrieu/product-analytics-ui-changes