T1051

Shared Webroot

Adversaries may add malicious content to an internally accessible website through an open network file share that contains the website's webroot or web content directory. By writing a malicious script (PHP, ASPX, JSP, etc.) to the shared webroot and then browsing to it, the adversary causes the web server process to execute the content — typically resulting in a webshell. This technique enables lateral movement to the system running the web server, as the code runs under the web server process context (IIS, Apache, nginx) which may have local system or administrative privileges. The attack chain: (1) discover open share pointing to webroot, (2) write malicious web script via SMB, (3) trigger execution via HTTP request. This technique has been deprecated by MITRE but the underlying behavior remains operationally relevant as a webshell deployment vector.

Microsoft Sentinel / Defender

kusto

let WebRootPaths = dynamic([
  "\\inetpub\\wwwroot\\",
  "\\inetpub\\wwwroot",
  "\\xampp\\htdocs\\",
  "\\wamp\\www\\",
  "\\wamp64\\www\\",
  "\\Apache24\\htdocs\\",
  "\\nginx\\html\\",
  "\\tomcat\\webapps\\",
  "\\jetty\\webapps\\",
  "\\www\\html\\",
  "\\web\\wwwroot\\"
]);
let WebScriptExtensions = dynamic([
  ".php", ".php5", ".php7", ".phtml",
  ".asp", ".aspx", ".ashx", ".asmx",
  ".jsp", ".jspx",
  ".cfm", ".cfml",
  ".pl", ".cgi",
  ".shtml"
]);
let WebServerProcesses = dynamic([
  "w3wp.exe", "httpd.exe", "nginx.exe",
  "php.exe", "php-cgi.exe", "php-win.exe",
  "tomcat.exe", "tomcat9.exe", "java.exe",
  "iisexpress.exe", "UMWorkerProcess.exe"
]);
// Branch 1: Script files written to known web root directories
let WebRootFileDrops = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FolderPath has_any (WebRootPaths)
| where FileName has_any (WebScriptExtensions)
| where not (InitiatingProcessFileName in~ ("w3wp.exe", "httpd.exe", "nginx.exe",
              "MicrosoftEdgeUpdate.exe", "msiexec.exe", "TrustedInstaller.exe"))
| extend DetectionBranch = "WebRootFileDrop"
| project Timestamp, DeviceName, AccountName, ActionType,
          FolderPath, FileName, InitiatingProcessFileName,
          InitiatingProcessCommandLine, InitiatingProcessAccountName,
          DetectionBranch;
// Branch 2: Web server process spawning suspicious child processes (webshell execution)
let WebShellExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (WebServerProcesses)
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe",
                       "cscript.exe", "mshta.exe", "net.exe", "net1.exe",
                       "whoami.exe", "ipconfig.exe", "systeminfo.exe",
                       "nltest.exe", "certutil.exe", "bitsadmin.exe",
                       "rundll32.exe", "regsvr32.exe", "msiexec.exe")
| extend DetectionBranch = "WebShellChildProcess"
| project Timestamp, DeviceName, AccountName, FileName,
          ProcessCommandLine, InitiatingProcessFileName,
          InitiatingProcessCommandLine, InitiatingProcessAccountName,
          DetectionBranch;
// Union both branches
WebRootFileDrops
| union WebShellExecution
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Creation Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Web developers deploying code directly to a local development server's webroot via IDE or build tool processes
Deployment pipelines (Jenkins, Octopus Deploy, Azure DevOps agents) writing application files to IIS or Apache webroots
CMS platforms (WordPress, Drupal, Joomla) that write PHP files as part of plugin installation — w3wp.exe or php.exe creating child PHP files is expected
Web application frameworks that compile views or generate dynamic ASPX handlers at runtime
IIS application pool worker processes launching legitimate monitoring scripts (health check endpoints that exec system commands)
Apache/nginx spawning CGI scripts as part of expected application behavior (e.g., Nagios NRPE, Cacti)

Splunk

spl

index=wineventlog (
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11)
  OR
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  OR
  (sourcetype="WinEventLog:Security" EventCode=5140)
)
| eval DetectionBranch=case(
    EventCode=11 AND match(TargetFilename, "(?i)(inetpub.wwwroot|xampp.htdocs|wamp.www|Apache24.htdocs|nginx.html|tomcat.webapps|web.wwwroot)") AND match(TargetFilename, "(?i)\.(php5?|phtml|aspx?|ashx|asmx|jspx?|cfml?|pl|cgi|shtml)$"),
    "WebRootFileDrop",
    EventCode=1 AND match(ParentImage, "(?i)(w3wp|httpd|nginx|php(-cgi|-win)?|tomcat[0-9]?|java|iisexpress)\.exe$") AND match(Image, "(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|net1?|whoami|ipconfig|systeminfo|nltest|certutil|bitsadmin|rundll32|regsvr32)(\.exe)?$"),
    "WebShellChildProcess",
    EventCode=5140 AND match(ShareName, "(?i)(wwwroot|htdocs|webroot|www)$"),
    "WebRootShareAccess",
    true(), null()
  )
| where isnotnull(DetectionBranch)
| eval FileDropped=if(DetectionBranch="WebRootFileDrop", TargetFilename, null())
| eval ChildProcess=if(DetectionBranch="WebShellChildProcess", Image, null())
| eval ShareAccessed=if(DetectionBranch="WebRootShareAccess", ShareName, null())
| eval Actor=coalesce(User, SubjectUserName)
| table _time, host, Actor, DetectionBranch, FileDropped, ChildProcess, ShareAccessed,
        Image, CommandLine, ParentImage, ParentCommandLine, TargetFilename
| sort - _time

high severity medium confidence

Data Sources

File: File Creation Process: Process Creation Network Share: Network Share Access Sysmon Event ID 1 Sysmon Event ID 11 Windows Security Event ID 5140

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Web developers pushing code via mapped network drive directly to development webroot directories
CI/CD deployment agents writing application files to IIS webroots — common with TeamCity, Jenkins, GitHub Actions self-hosted runners
CMS plugin installers: WordPress, Drupal, Joomla write PHP files to webroot as part of normal install/update flows
Legitimate administrative scripts that query system info via web server context (e.g., monitoring endpoints that call ipconfig or systeminfo)
Penetration testing or red team exercises targeting the web server in authorized engagements
IIS Web Deploy (MSDeploy) writing files to wwwroot as part of standard deployment packages

Elastic Security (EQL)

eql

any where
  (
    event.category == "file" and
    event.type in ("creation", "change") and
    file.path : (
      "*\\inetpub\\wwwroot\\*", "*\\xampp\\htdocs\\*", "*\\wamp\\www\\*",
      "*\\wamp64\\www\\*", "*\\Apache24\\htdocs\\*", "*\\nginx\\html\\*",
      "*\\tomcat\\webapps\\*", "*\\jetty\\webapps\\*", "*\\www\\html\\*",
      "*\\web\\wwwroot\\*", "*/var/www/html/*", "*/srv/www/*",
      "*/usr/share/nginx/html/*", "*/opt/tomcat/webapps/*"
    ) and
    file.name : (
      "*.php", "*.php5", "*.php7", "*.phtml", "*.asp", "*.aspx",
      "*.ashx", "*.asmx", "*.jsp", "*.jspx", "*.cfm", "*.cfml",
      "*.pl", "*.cgi", "*.shtml"
    ) and
    not process.name : (
      "w3wp.exe", "httpd.exe", "httpd2.exe", "nginx.exe", "msiexec.exe",
      "TrustedInstaller.exe", "MicrosoftEdgeUpdate.exe"
    )
  )
  or
  (
    event.category == "process" and
    event.type == "start" and
    process.parent.name : (
      "w3wp.exe", "httpd.exe", "httpd2.exe", "nginx.exe", "php.exe",
      "php-cgi.exe", "php-win.exe", "tomcat.exe", "tomcat9.exe",
      "java.exe", "iisexpress.exe", "UMWorkerProcess.exe"
    ) and
    process.name : (
      "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
      "mshta.exe", "net.exe", "net1.exe", "whoami.exe", "ipconfig.exe",
      "systeminfo.exe", "nltest.exe", "certutil.exe", "bitsadmin.exe",
      "rundll32.exe", "regsvr32.exe", "msiexec.exe"
    )
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security Winlogbeat + Sysmon Filebeat Auditd Module (Linux)

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-* winlogbeat-*

False Positives

CI/CD deployment pipelines (Jenkins, GitHub Actions self-hosted runners) pushing PHP or ASPX application code to a shared webroot via service account — high volume, predictable paths and naming conventions; baseline deployer process names and account SIDs
WordPress, Drupal, or Joomla auto-update and plugin-install routines: the PHP interpreter or web server process writes updated .php files directly to the webroot as part of CMS self-update workflows
IIS Web Deploy (MSDeploy) and Azure DevOps release pipelines that use msdeploy.exe or Web Management Service (wmsvc.exe) to publish ASPX applications, causing file creation events in wwwroot that appear unsigned or from unexpected parent processes
Tomcat hot-deploy dropping new WAR-extracted JSP files into webapps/ directories as part of scheduled application refreshes, with java.exe as the initiating process
Legitimate developers with mapped SMB drives to dev/staging webroot shares editing PHP files directly in their IDE — the editor process writes the file from a non-web-server context

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS Category,
  username AS Actor,
  eventid,
  "TargetFilename" AS TargetFile,
  "Image" AS ChildProcess,
  "ParentImage" AS ParentProcess,
  "CommandLine" AS CommandLine,
  "ShareName" AS ShareName,
  CASE
    WHEN eventid = 11 THEN 'WebRootFileDrop'
    WHEN eventid = 1  THEN 'WebShellChildProcess'
    WHEN eventid = 5140 THEN 'WebRootShareAccess'
    ELSE 'Unknown'
  END AS DetectionBranch
FROM events
WHERE
  devicetime > NOW() - 86400000
  AND (
    logsourcename(logsourceid) ILIKE '%sysmon%'
    OR logsourcename(logsourceid) ILIKE '%windows security%'
    OR LOGSOURCETYPEID(logsourceid) IN (73, 260)
  )
  AND (
    -- Branch 1: Sysmon EID 11 - File creation in webroot with script extension
    (
      eventid = 11
      AND (
        "TargetFilename" ILIKE '%\\inetpub\\wwwroot\\%'
        OR "TargetFilename" ILIKE '%\\xampp\\htdocs\\%'
        OR "TargetFilename" ILIKE '%\\wamp\\www\\%'
        OR "TargetFilename" ILIKE '%\\wamp64\\www\\%'
        OR "TargetFilename" ILIKE '%\\Apache24\\htdocs\\%'
        OR "TargetFilename" ILIKE '%\\nginx\\html\\%'
        OR "TargetFilename" ILIKE '%\\tomcat\\webapps\\%'
        OR "TargetFilename" ILIKE '%\\www\\html\\%'
      )
      AND (
        "TargetFilename" ILIKE '%.php'
        OR "TargetFilename" ILIKE '%.php5'
        OR "TargetFilename" ILIKE '%.phtml'
        OR "TargetFilename" ILIKE '%.asp'
        OR "TargetFilename" ILIKE '%.aspx'
        OR "TargetFilename" ILIKE '%.ashx'
        OR "TargetFilename" ILIKE '%.jsp'
        OR "TargetFilename" ILIKE '%.jspx'
        OR "TargetFilename" ILIKE '%.cfm'
        OR "TargetFilename" ILIKE '%.cgi'
        OR "TargetFilename" ILIKE '%.shtml'
      )
    )
    OR
    -- Branch 2: Sysmon EID 1 - Web server spawning suspicious child process
    (
      eventid = 1
      AND (
        "ParentImage" ILIKE '%\\w3wp.exe'
        OR "ParentImage" ILIKE '%\\httpd.exe'
        OR "ParentImage" ILIKE '%\\nginx.exe'
        OR "ParentImage" ILIKE '%\\php-cgi.exe'
        OR "ParentImage" ILIKE '%\\php-win.exe'
        OR "ParentImage" ILIKE '%\\java.exe'
        OR "ParentImage" ILIKE '%\\iisexpress.exe'
        OR "ParentImage" ILIKE '%tomcat%.exe'
      )
      AND (
        "Image" ILIKE '%\\cmd.exe'
        OR "Image" ILIKE '%\\powershell.exe'
        OR "Image" ILIKE '%\\pwsh.exe'
        OR "Image" ILIKE '%\\wscript.exe'
        OR "Image" ILIKE '%\\cscript.exe'
        OR "Image" ILIKE '%\\mshta.exe'
        OR "Image" ILIKE '%\\net.exe'
        OR "Image" ILIKE '%\\net1.exe'
        OR "Image" ILIKE '%\\whoami.exe'
        OR "Image" ILIKE '%\\ipconfig.exe'
        OR "Image" ILIKE '%\\systeminfo.exe'
        OR "Image" ILIKE '%\\nltest.exe'
        OR "Image" ILIKE '%\\certutil.exe'
        OR "Image" ILIKE '%\\bitsadmin.exe'
        OR "Image" ILIKE '%\\rundll32.exe'
        OR "Image" ILIKE '%\\regsvr32.exe'
      )
    )
    OR
    -- Branch 3: Security EID 5140 - SMB share access to webroot share
    (
      eventid = 5140
      AND (
        "ShareName" ILIKE '%wwwroot%'
        OR "ShareName" ILIKE '%htdocs%'
        OR "ShareName" ILIKE '%webroot%'
        OR "ShareName" ILIKE '%webapps%'
      )
    )
  )
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (QRadar LOGSOURCETYPEID 73) Sysmon via Windows Event Log (QRadar LOGSOURCETYPEID 260)

Required Tables

events

False Positives

Legitimate SMB-based deployment tools writing application files to webroot shares — EventID 5140 will fire on any authenticated access to a share whose name contains 'wwwroot' regardless of write intent; correlate with a subsequent EventID 4663 (file write) to reduce noise
Scheduled maintenance scripts running under service accounts that periodically update CMS plugin files in the webroot — tune by whitelisting known deployer account SIDs and scheduled maintenance windows
Java application servers (Tomcat, JBoss) legitimately spawning child java.exe processes for JSP compilation or scheduled tasks — the Parent/Child java→java pattern is benign; focus detection on java.exe spawning cmd.exe or PowerShell specifically

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*wineventlog*)
| parse regex "(?:EventCode|EventID)\s*=\s*(?P<EventCode>\d+)" nodrop
| parse regex "TargetFilename\s*=\s*(?P<TargetFilename>[^\n\r]+)" nodrop
| parse regex "Image\s*=\s*(?P<Image>[^\n\r]+)" nodrop
| parse regex "ParentImage\s*=\s*(?P<ParentImage>[^\n\r]+)" nodrop
| parse regex "CommandLine\s*=\s*(?P<CommandLine>[^\n\r]+)" nodrop
| parse regex "ShareName\s*=\s*(?P<ShareName>[^\n\r]+)" nodrop
| parse regex "(?:User|SubjectUserName)\s*=\s*(?P<Actor>[^\n\r]+)" nodrop
| where
  (
    EventCode = "11"
    AND (
      TargetFilename matches "*\\inetpub\\wwwroot\\*"
      OR TargetFilename matches "*\\xampp\\htdocs\\*"
      OR TargetFilename matches "*\\wamp\\www\\*"
      OR TargetFilename matches "*\\Apache24\\htdocs\\*"
      OR TargetFilename matches "*\\nginx\\html\\*"
      OR TargetFilename matches "*\\tomcat\\webapps\\*"
      OR TargetFilename matches "*\\www\\html\\*"
    )
    AND (
      TargetFilename matches "*.php"
      OR TargetFilename matches "*.php5"
      OR TargetFilename matches "*.phtml"
      OR TargetFilename matches "*.asp"
      OR TargetFilename matches "*.aspx"
      OR TargetFilename matches "*.ashx"
      OR TargetFilename matches "*.jsp"
      OR TargetFilename matches "*.jspx"
      OR TargetFilename matches "*.cfm"
      OR TargetFilename matches "*.cgi"
      OR TargetFilename matches "*.shtml"
    )
  )
  OR
  (
    EventCode = "1"
    AND (
      ParentImage matches "*w3wp.exe*"
      OR ParentImage matches "*httpd.exe*"
      OR ParentImage matches "*nginx.exe*"
      OR ParentImage matches "*php-cgi.exe*"
      OR ParentImage matches "*java.exe*"
      OR ParentImage matches "*iisexpress.exe*"
      OR ParentImage matches "*tomcat*.exe*"
    )
    AND (
      Image matches "*\\cmd.exe*"
      OR Image matches "*\\powershell.exe*"
      OR Image matches "*\\pwsh.exe*"
      OR Image matches "*\\wscript.exe*"
      OR Image matches "*\\cscript.exe*"
      OR Image matches "*\\mshta.exe*"
      OR Image matches "*\\whoami.exe*"
      OR Image matches "*\\ipconfig.exe*"
      OR Image matches "*\\systeminfo.exe*"
      OR Image matches "*\\nltest.exe*"
      OR Image matches "*\\certutil.exe*"
      OR Image matches "*\\bitsadmin.exe*"
      OR Image matches "*\\net.exe*"
      OR Image matches "*\\net1.exe*"
    )
  )
  OR
  (
    EventCode = "5140"
    AND (
      ShareName matches "*wwwroot*"
      OR ShareName matches "*htdocs*"
      OR ShareName matches "*webroot*"
      OR ShareName matches "*webapps*"
    )
  )
| eval DetectionBranch = if(EventCode = "11", "WebRootFileDrop",
    if(EventCode = "1", "WebShellChildProcess",
    if(EventCode = "5140", "WebRootShareAccess", "Unknown")))
| fields _messageTime, _sourceHost, Actor, DetectionBranch, TargetFilename, Image, ParentImage, CommandLine, ShareName
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sysmon via Sumo Logic Installed Collector (Windows) Windows Security Event Log via Installed Collector

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Deployment automation (Octopus Deploy, Ansible WinRM) writing web application files to IIS or Apache webroot directories from service accounts — whitelist known deployer account names and source hosts in the Actor and _sourceHost fields
CMS platforms (WordPress, Drupal) with auto-update enabled cause the PHP-FPM or web server process to write updated plugin .php files, generating EventID 11 hits — consider excluding known CMS update parent processes and expected plugin paths
SharePoint and IIS application pools regularly access SMB shares named 'wwwroot' as part of normal content serving — EventID 5140 triggers on any share read, not just writes; enrich with EventID 4663 write accesses to distinguish reconnaissance from actual file drops

Google Chronicle / SecOps

yaral

rule T1051_shared_webroot_webshell_execution {
  meta:
    author = "df00tech"
    description = "Detects web server processes spawning suspicious child processes indicative of webshell execution following shared webroot compromise (T1051). Web servers (IIS w3wp, Apache httpd, nginx, Tomcat java) should not directly spawn cmd.exe, PowerShell, or reconnaissance utilities under normal operation."
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1051"
    mitre_attack_technique_name = "Shared Webroot"
    severity = "HIGH"
    confidence = "MEDIUM"
    priority = "HIGH"
    rule_version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(w3wp|httpd|httpd2|nginx|php-cgi|php-win|tomcat[0-9]?|java|iisexpress|UMWorkerProcess)\.exe$/
    $e.target.process.file.full_path = /(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|net1?|whoami|ipconfig|systeminfo|nltest|certutil|bitsadmin|rundll32|regsvr32|msiexec)\.exe$/

  condition:
    $e
}

rule T1051_shared_webroot_file_drop {
  meta:
    author = "df00tech"
    description = "Detects web script files (PHP, ASPX, JSP, CFM, CGI) written to known webroot directories by non-web-server processes, indicating a likely webshell drop via shared network drive (T1051). Monitor for files written by SMB client processes, script interpreters, or admin tools rather than the web server itself."
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1051"
    mitre_attack_technique_name = "Shared Webroot"
    severity = "HIGH"
    confidence = "MEDIUM"
    priority = "HIGH"
    rule_version = "1.0"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    $e.target.file.full_path = /(?i)(\\inetpub\\wwwroot\\|\\xampp\\htdocs\\|\\wamp\\www\\|\\wamp64\\www\\|\\Apache24\\htdocs\\|\\nginx\\html\\|\\tomcat\\webapps\\|\\jetty\\webapps\\|\/var\/www\/html\/|\/srv\/www\/|\/usr\/share\/nginx\/)/
    $e.target.file.full_path = /(?i)\.(php5?|phtml|aspx?|ashx|asmx|jspx?|cfml?|pl|cgi|shtml)$/
    NOT $e.principal.process.file.full_path = /(?i)(w3wp|httpd|httpd2|nginx|msiexec|TrustedInstaller|MicrosoftEdgeUpdate)\.exe$/

  condition:
    $e
}

high severity medium confidence

Data Sources

Chronicle UDM (Sysmon via Google Chronicle Forwarder) Chronicle UDM (CrowdStrike Falcon via Chronicle integration) Chronicle UDM (Carbon Black via Chronicle integration) Chronicle UDM (Microsoft Defender for Endpoint via Chronicle integration)

Required Tables

UDM PROCESS_LAUNCH events UDM FILE_CREATION events

False Positives

Java application servers (Tomcat, WildFly) that use java.exe as both the server process and for spawning legitimate JVM child processes for JSP compilation or scheduled tasks — the parent/child java→java pattern may be benign; focus on java spawning cmd.exe, PowerShell, or OS utilities specifically
Automated web application deployment tools (msdeploy.exe, deploy.sh, Capistrano) running under a service account that writes ASPX or PHP files to the webroot — these are not web server processes so they will trigger the file drop rule; whitelist known deployer binary paths in the NOT clause
Security scanning agents (Nessus, Qualys, Rapid7) that perform authenticated web application scanning may create temporary probe files with script extensions in webroot directories — identify scanner service account names and add them to the exclusion list

CrowdStrike LogScale (CQL)

cql

(#event_simpleName = ProcessRollup2 OR #event_simpleName = SyntheticProcessRollup2 OR #event_simpleName = NewExecutableWritten)
| case {
    #event_simpleName in (ProcessRollup2, SyntheticProcessRollup2)
    AND ParentBaseFileName = /(?i)^(w3wp|httpd|httpd2|nginx|php-cgi|php-win|tomcat[0-9]?|java|iisexpress|UMWorkerProcess)\.exe$/
    AND FileName = /(?i)^(cmd|powershell|pwsh|wscript|cscript|mshta|net|net1|whoami|ipconfig|systeminfo|nltest|certutil|bitsadmin|rundll32|regsvr32|msiexec)\.exe$/
    | DetectionBranch := "WebShellChildProcess" ;

    #event_simpleName = NewExecutableWritten
    AND TargetFileName = /(?i)(\\inetpub\\wwwroot\\|\\xampp\\htdocs\\|\\wamp\\www\\|\\wamp64\\www\\|\\Apache24\\htdocs\\|\\nginx\\html\\|\\tomcat\\webapps\\|\\jetty\\webapps\\|\/var\/www\/html\/|\/srv\/www\/)/
    AND TargetFileName = /(?i)\.(php5?|phtml|aspx?|ashx|asmx|jspx?|cfml?|pl|cgi|shtml)$/
    NOT ParentBaseFileName = /(?i)^(w3wp|httpd|nginx|msiexec|TrustedInstaller)\.exe$/
    | DetectionBranch := "WebRootFileDrop" ;
}
| groupBy(
    [ComputerName, DetectionBranch, ParentBaseFileName, FileName, TargetFileName, UserName, CommandLine],
    function=[
      count(as=HitCount),
      min(timestamp, as=FirstSeen),
      max(timestamp, as=LastSeen)
    ]
  )
| sort(LastSeen, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor (ProcessRollup2) CrowdStrike Falcon Sensor (NewExecutableWritten) CrowdStrike Falcon Sensor (SyntheticProcessRollup2)

Required Tables

ProcessRollup2 SyntheticProcessRollup2 NewExecutableWritten

False Positives

Legitimate application deployment processes using the web server service account to write updated application files — NewExecutableWritten events from msdeploy.exe or xcopy.exe targeting wwwroot are common in mature DevOps pipelines; add known deployment binary hashes to a reference lookup table and exclude
Java-based application servers (Tomcat, JBoss, WebSphere) frequently spawn child java.exe processes for background jobs, JSP recompilation, and JMX operations — the ParentBaseFileName=java.exe → FileName=java.exe pattern is typically benign; focus alerting on java.exe spawning OS utilities
Penetration testing and red team activity using authorized webshell frameworks (e.g., Antak, China Chopper simulation tools) during scheduled engagements will generate high-fidelity hits — correlate alert timestamps with active pen test windows from your change management system before escalating

Last updated: 2026-04-17 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1051 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Shared Webroot

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Lateral Movement

Popular Detections