T1056.003

Web Portal Capture

Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. A compromised login page may log provided user credentials before logging the user in to the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts, or as part of the initial compromise by exploitation of the externally facing web service. Notable examples include IceApple's OWA credential logger, WARPWIRE targeting Ivanti VPN portals, and Winter Vivern mimicking government email logon sites.

Microsoft Sentinel / Defender

kusto

let WebPortalPaths = dynamic([
  "\\inetpub\\", "\\wwwroot\\", "\\webroot\\",
  "\\pulse\\", "\\juniper\\", "\\vpn\\",
  "\\owa\\", "\\ecp\\", "\\exchange\\",
  "\\fortiweb\\", "\\sslvpn\\", "\\remote\\",
  "/var/www/", "/opt/web/", "/usr/share/"
]);
let SuspiciousWebFileExtensions = dynamic([".php", ".aspx", ".asp", ".jsp", ".js", ".html", ".htm", ".config"]);
let CredentialKeywords = dynamic(["password", "passwd", "credential", "username", "login", "auth", "token", "session", "cookie"]);
// Detection 1: File modification in web portal directories by web server processes
let WebFileModifications = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where InitiatingProcessFileName in~ ("w3wp.exe", "httpd", "nginx", "apache2", "tomcat", "java", "node", "python", "ruby", "php-cgi", "php")
    or FolderPath has_any (WebPortalPaths)
| where FileName has_any (SuspiciousWebFileExtensions)
| extend IsWebServerProcess = InitiatingProcessFileName in~ ("w3wp.exe", "httpd", "nginx", "apache2")
| extend IsWebPath = FolderPath has_any (WebPortalPaths)
| project Timestamp, DeviceName, ActionType, FolderPath, FileName,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, IsWebServerProcess, IsWebPath;
// Detection 2: Suspicious script execution by web server processes with credential-related content
let WebProcessExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("w3wp.exe", "httpd", "nginx", "apache2", "iisexpress.exe")
    or (FileName in~ ("cmd.exe", "powershell.exe", "sh", "bash", "python", "python3", "perl") 
        and InitiatingProcessFileName in~ ("w3wp.exe", "httpd", "nginx", "apache2"))
| extend IsChildShell = FileName in~ ("cmd.exe", "powershell.exe", "sh", "bash")
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         AccountName, IsChildShell;
// Detection 3: Registry modifications by web processes (persistence of credential capture code)
let WebRegistryChanges = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("w3wp.exe", "httpd", "nginx", "apache2", "iisexpress.exe")
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData,
         InitiatingProcessFileName, InitiatingProcessAccountName;
WebFileModifications
| union WebProcessExecution
| union WebRegistryChanges
| extend DetectionSource = case(
    isnotempty(ActionType) and ActionType in ("FileCreated", "FileModified"), "WebFileModification",
    isnotempty(FileName) and FileName in~ ("cmd.exe", "powershell.exe", "sh", "bash"), "WebShellExecution",
    isnotempty(RegistryKey), "WebRegistryChange",
    "Unknown")
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Creation File: File Modification Process: Process Creation Windows Registry: Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents DeviceRegistryEvents

False Positives

Legitimate web application deployments or updates that modify web portal files via w3wp.exe or deployment scripts
Web application frameworks (ASP.NET, PHP) dynamically generating or caching compiled files in wwwroot directories
Security scanning tools or web application firewalls writing log or config files to web directories
IIS application pool recycles or maintenance scripts spawning cmd.exe or powershell.exe for configuration tasks

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
(
  (EventCode=11 (TargetFilename="*\\inetpub\\*" OR TargetFilename="*\\wwwroot\\*" OR TargetFilename="*\\owa\\*" OR TargetFilename="*\\ecp\\*" OR TargetFilename="*\\vpn\\*" OR TargetFilename="*\\sslvpn\\*")
   (TargetFilename="*.aspx" OR TargetFilename="*.asp" OR TargetFilename="*.php" OR TargetFilename="*.js" OR TargetFilename="*.config" OR TargetFilename="*.jsp")
   (Image="*\\w3wp.exe" OR Image="*\\iisexpress.exe" OR Image="*\\httpd.exe" OR Image="*\\nginx.exe"))
  OR
  (EventCode=1 (ParentImage="*\\w3wp.exe" OR ParentImage="*\\iisexpress.exe" OR ParentImage="*\\httpd.exe")
   (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\sh.exe" OR Image="*\\bash.exe" OR Image="*\\net.exe" OR Image="*\\whoami.exe"))
  OR
  (EventCode=1 (Image="*\\w3wp.exe" OR Image="*\\iisexpress.exe")
   (CommandLine="*password*" OR CommandLine="*credential*" OR CommandLine="*username*" OR CommandLine="*passwd*"))
)
| eval EventType=case(
    EventCode=11, "WebFileCreation",
    EventCode=1 AND match(ParentImage, "(w3wp|iisexpress|httpd|nginx)"), "WebShellSpawn",
    EventCode=1 AND match(Image, "(w3wp|iisexpress)"), "WebProcessExec",
    true(), "Unknown")
| eval WebPortalIndicator=if(match(TargetFilename, "(inetpub|wwwroot|owa|ecp|vpn|sslvpn|exchange)"), 1, 0)
| eval CredentialKeyword=if(match(lower(CommandLine), "(password|passwd|credential|username|login|auth|token|session)"), 1, 0)
| eval SpawnedShell=if(match(Image, "(cmd\.exe|powershell\.exe|sh\.exe|bash\.exe)") AND match(ParentImage, "(w3wp|iisexpress|httpd|nginx)"), 1, 0)
| eval SuspicionScore=WebPortalIndicator + CredentialKeyword + SpawnedShell
| table _time, host, EventCode, EventType, Image, CommandLine, ParentImage, ParentCommandLine, TargetFilename, User, SuspicionScore
| sort - _time

high severity medium confidence

Data Sources

File: File Creation Process: Process Creation Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Legitimate web application deployments via deployment pipelines that use w3wp.exe to create or modify web files
IIS application pool management scripts that legitimately spawn cmd.exe or powershell.exe for configuration
Web application frameworks generating compiled or cached files (e.g., ASP.NET temporary files) in web directories
Automated certificate renewal scripts modifying web.config or application configuration files

Elastic Security (EQL)

eql

any where
  (
    event.category == "file" and
    event.action in ("creation", "modification") and
    process.name in~ ("w3wp.exe", "httpd", "nginx", "apache2", "iisexpress.exe", "tomcat", "java", "node", "python", "ruby", "php-cgi", "php") and
    (
      file.path like~ "*\\inetpub\\*" or file.path like~ "*\\wwwroot\\*" or
      file.path like~ "*\\owa\\*" or file.path like~ "*\\ecp\\*" or
      file.path like~ "*\\vpn\\*" or file.path like~ "*\\sslvpn\\*" or
      file.path like~ "*\\exchange\\*" or file.path like~ "/var/www/*" or
      file.path like~ "/opt/web/*" or file.path like~ "/usr/share/*"
    ) and
    file.extension in ("php", "aspx", "asp", "jsp", "js", "html", "htm", "config")
  )
  or
  (
    event.category == "process" and
    event.action == "start" and
    process.parent.name in~ ("w3wp.exe", "httpd", "nginx", "apache2", "iisexpress.exe") and
    process.name in~ ("cmd.exe", "powershell.exe", "sh", "bash", "python", "python3", "perl", "net.exe", "whoami.exe", "certutil.exe", "bitsadmin.exe")
  )
  or
  (
    event.category == "process" and
    event.action == "start" and
    process.name in~ ("w3wp.exe", "iisexpress.exe") and
    (
      process.command_line like~ "*password*" or process.command_line like~ "*credential*" or
      process.command_line like~ "*username*" or process.command_line like~ "*passwd*" or
      process.command_line like~ "*cookie*" or process.command_line like~ "*session*"
    )
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security agent Elastic Agent with Endpoint integration (logs-endpoint.events.*) Winlogbeat with Sysmon module Auditbeat (Linux file integrity and process monitoring)

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-* winlogbeat-* auditbeat-*

False Positives

Legitimate web application deployments via CI/CD pipelines (Azure DevOps, Jenkins, GitHub Actions) where the deployment agent runs in IIS app pool context and writes updated ASPX or PHP files to wwwroot during a scheduled release
CMS platforms such as WordPress, Joomla, or Drupal performing plugin/theme auto-updates where the web server process writes new PHP files to web-accessible plugin directories under the httpd or nginx process context
ASP.NET view precompilation and IIS application warmup procedures that cause w3wp.exe to spawn temporary compiler processes (csc.exe, vbc.exe) or write compiled view assemblies to temp paths under the web root
Monitoring and APM agents (Dynatrace OneAgent, New Relic, AppDynamics) injected into IIS app pools that create instrumentation files or execute diagnostic subprocesses within the web server process context
Let's Encrypt ACME challenge responders or load balancer health check scripts that create temporary verification files in webroot directories under the web server process

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSourceName,
  sourceip AS SourceIP,
  username AS UserName,
  QIDNAME(qid) AS EventName,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentImage,
  "TargetFilename" AS TargetFilename,
  CATEGORYNAME(category) AS Category,
  CASE
    WHEN QIDNAME(qid) LIKE '%File Create%' THEN 'WebFileCreation'
    WHEN ("Image" LIKE '%cmd.exe' OR "Image" LIKE '%powershell.exe' OR "Image" LIKE '%bash.exe' OR "Image" LIKE '%sh.exe')
         AND ("ParentImage" LIKE '%w3wp.exe' OR "ParentImage" LIKE '%iisexpress.exe' OR "ParentImage" LIKE '%httpd%' OR "ParentImage" LIKE '%nginx%')
    THEN 'WebShellSpawn'
    WHEN "Image" LIKE '%w3wp.exe' OR "Image" LIKE '%iisexpress.exe' THEN 'WebProcessCredentialExec'
    ELSE 'Unknown'
  END AS EventType,
  (CASE WHEN "TargetFilename" LIKE '%inetpub%' OR "TargetFilename" LIKE '%wwwroot%'
              OR "TargetFilename" LIKE '%\owa\%' OR "TargetFilename" LIKE '%\ecp\%'
              OR "TargetFilename" LIKE '%\vpn\%' OR "TargetFilename" LIKE '%/var/www/%'
        THEN 1 ELSE 0 END
   + CASE WHEN LOWER("CommandLine") LIKE '%password%' OR LOWER("CommandLine") LIKE '%credential%'
               OR LOWER("CommandLine") LIKE '%passwd%' OR LOWER("CommandLine") LIKE '%username%'
               OR LOWER("CommandLine") LIKE '%token%' OR LOWER("CommandLine") LIKE '%cookie%'
          THEN 1 ELSE 0 END
   + CASE WHEN ("Image" LIKE '%cmd.exe' OR "Image" LIKE '%powershell.exe' OR "Image" LIKE '%bash.exe' OR "Image" LIKE '%sh.exe')
               AND ("ParentImage" LIKE '%w3wp.exe' OR "ParentImage" LIKE '%iisexpress.exe'
                    OR "ParentImage" LIKE '%httpd%' OR "ParentImage" LIKE '%nginx%')
          THEN 1 ELSE 0 END) AS SuspicionScore
FROM events
WHERE
  devicetime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    (
      ("TargetFilename" LIKE '%\inetpub\%' OR "TargetFilename" LIKE '%\wwwroot\%'
        OR "TargetFilename" LIKE '%\owa\%' OR "TargetFilename" LIKE '%\ecp\%'
        OR "TargetFilename" LIKE '%\vpn\%' OR "TargetFilename" LIKE '%\sslvpn\%'
        OR "TargetFilename" LIKE '%/var/www/%' OR "TargetFilename" LIKE '%/opt/web/%')
      AND ("TargetFilename" LIKE '%.aspx' OR "TargetFilename" LIKE '%.asp'
        OR "TargetFilename" LIKE '%.php' OR "TargetFilename" LIKE '%.jsp'
        OR "TargetFilename" LIKE '%.js' OR "TargetFilename" LIKE '%.config')
      AND ("Image" LIKE '%\w3wp.exe' OR "Image" LIKE '%\iisexpress.exe'
        OR "Image" LIKE '%\httpd.exe' OR "Image" LIKE '%\nginx.exe'
        OR "Image" LIKE '%/httpd' OR "Image" LIKE '%/nginx' OR "Image" LIKE '%/apache2')
    )
    OR (
      ("ParentImage" LIKE '%\w3wp.exe' OR "ParentImage" LIKE '%\iisexpress.exe'
        OR "ParentImage" LIKE '%\httpd.exe' OR "ParentImage" LIKE '%/httpd'
        OR "ParentImage" LIKE '%/nginx' OR "ParentImage" LIKE '%/apache2')
      AND ("Image" LIKE '%\cmd.exe' OR "Image" LIKE '%\powershell.exe'
        OR "Image" LIKE '%\bash.exe' OR "Image" LIKE '%\sh.exe'
        OR "Image" LIKE '%\net.exe' OR "Image" LIKE '%\whoami.exe'
        OR "Image" LIKE '%/bash' OR "Image" LIKE '%/sh' OR "Image" LIKE '%/python%')
    )
    OR (
      ("Image" LIKE '%\w3wp.exe' OR "Image" LIKE '%\iisexpress.exe')
      AND (
        LOWER("CommandLine") LIKE '%password%' OR LOWER("CommandLine") LIKE '%credential%'
        OR LOWER("CommandLine") LIKE '%username%' OR LOWER("CommandLine") LIKE '%passwd%'
        OR LOWER("CommandLine") LIKE '%token%' OR LOWER("CommandLine") LIKE '%cookie%'
        OR LOWER("CommandLine") LIKE '%session%'
      )
    )
  )
ORDER BY EventTime DESC, SuspicionScore DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Microsoft Windows Security Event Log DSM (Event IDs 4688, 4663) Sysmon DSM via Windows Event Log (Event IDs 1, 11, 13) Linux OS DSM (auditd process and file events)

Required Tables

events

False Positives

Automated application deployment tools (Octopus Deploy, Azure Pipelines release agents) that run under IIS application pool identity and write updated ASPX files directly to the wwwroot during a production deployment window
Web application frameworks performing dynamic compilation or template rendering (ASP.NET Razor view compilation, JSP precompilation by Tomcat) that cause the web server process to write compiled artifacts to temporary directories under the web root
Third-party web application monitoring agents (Dynatrace, AppDynamics, New Relic) that inject into the IIS worker process and create temporary instrumentation files or spawn short-lived diagnostic child processes with credential-adjacent field names in their arguments

Sumo Logic CSE

sql

(_sourceCategory=*windows/sysmon* OR _sourceCategory=*linux/auditd* OR _sourceCategory=*linux/syslog*)
| where EventID = 11 OR EventID = 1
| parse regex "(?s)Image=(?<ProcessImage>[^\r\n]+)" nodrop
| parse regex "(?s)ParentImage=(?<ParentImage>[^\r\n]+)" nodrop
| parse regex "(?s)CommandLine=(?<CommandLine>[^\r\n]+)" nodrop
| parse regex "(?s)TargetFilename=(?<TargetFilename>[^\r\n]+)" nodrop
| parse regex "(?s)User=(?<UserAccount>[^\r\n]+)" nodrop
| where (
    (EventID = 11
      AND (TargetFilename matches "*inetpub*" OR TargetFilename matches "*wwwroot*"
        OR TargetFilename matches "*\\owa\\*" OR TargetFilename matches "*\\ecp\\*"
        OR TargetFilename matches "*\\vpn\\*" OR TargetFilename matches "*\\sslvpn\\*"
        OR TargetFilename matches "*/var/www/*" OR TargetFilename matches "*/opt/web/*")
      AND (TargetFilename matches "*.aspx" OR TargetFilename matches "*.php"
        OR TargetFilename matches "*.asp" OR TargetFilename matches "*.jsp"
        OR TargetFilename matches "*.js" OR TargetFilename matches "*.config")
      AND (ProcessImage matches "*w3wp.exe*" OR ProcessImage matches "*iisexpress.exe*"
        OR ProcessImage matches "*httpd*" OR ProcessImage matches "*nginx*"
        OR ProcessImage matches "*apache2*" OR ProcessImage matches "*tomcat*"))
    OR (EventID = 1
      AND (ParentImage matches "*w3wp.exe*" OR ParentImage matches "*iisexpress.exe*"
        OR ParentImage matches "*httpd*" OR ParentImage matches "*nginx*"
        OR ParentImage matches "*apache2*")
      AND (ProcessImage matches "*cmd.exe*" OR ProcessImage matches "*powershell.exe*"
        OR ProcessImage matches "*/bash" OR ProcessImage matches "*/bin/sh"
        OR ProcessImage matches "*/sh" OR ProcessImage matches "*python*"
        OR ProcessImage matches "*perl*" OR ProcessImage matches "*whoami*"
        OR ProcessImage matches "*net.exe*" OR ProcessImage matches "*certutil*"))
    OR (EventID = 1
      AND (ProcessImage matches "*w3wp.exe*" OR ProcessImage matches "*iisexpress.exe*")
      AND (toLowerCase(CommandLine) matches "*password*" OR toLowerCase(CommandLine) matches "*credential*"
        OR toLowerCase(CommandLine) matches "*passwd*" OR toLowerCase(CommandLine) matches "*username*"
        OR toLowerCase(CommandLine) matches "*token*" OR toLowerCase(CommandLine) matches "*cookie*"
        OR toLowerCase(CommandLine) matches "*session*"))
  )
| eval EventType = if(EventID = 11, "WebFileCreation",
    if((ProcessImage matches "*cmd.exe*" OR ProcessImage matches "*powershell.exe*"
        OR ProcessImage matches "*/bash" OR ProcessImage matches "*/bin/sh"
        OR ProcessImage matches "*/sh*")
       AND (ParentImage matches "*w3wp*" OR ParentImage matches "*iisexpress*"
            OR ParentImage matches "*httpd*" OR ParentImage matches "*nginx*"
            OR ParentImage matches "*apache2*"), "WebShellSpawn",
    "WebProcessCredentialExec"))
| eval WebPortalHit = if(TargetFilename matches "*(inetpub|wwwroot|\\owa\\|\\ecp\\|\\vpn\\|\\sslvpn\\)*"
    OR TargetFilename matches "*/var/www/*" OR TargetFilename matches "*/opt/web/*", 1, 0)
| eval CredentialHit = if(toLowerCase(CommandLine) matches
    "*(password|passwd|credential|username|login|auth|token|session|cookie)*", 1, 0)
| eval ShellSpawn = if(
    (ProcessImage matches "*(cmd.exe|powershell.exe|/bash|/bin/sh|/sh)*")
    AND (ParentImage matches "*(w3wp|iisexpress|httpd|nginx|apache2)*"), 1, 0)
| eval SuspicionScore = WebPortalHit + CredentialHit + ShellSpawn
| fields _time, _sourceHost, EventID, EventType, ProcessImage, CommandLine, ParentImage, TargetFilename, UserAccount, SuspicionScore
| sort by SuspicionScore desc, _time desc

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM (CSE) Sumo Logic collector with Windows Sysmon source (Event IDs 1, 11) Sumo Logic collector with Linux syslog or auditd source for Apache/Nginx/PHP process activity

Required Tables

_sourceCategory=*windows/sysmon* _sourceCategory=*linux/auditd* _sourceCategory=*linux/syslog*

False Positives

Automated deployment pipelines running as the IIS application pool identity that push web application code updates by writing ASPX, PHP, or JS files directly to wwwroot or web portal directories during scheduled maintenance windows
Content management system automatic update mechanisms (WordPress auto-update, Joomla update manager) that download and write new PHP plugin files to web-accessible directories under the web server process context
Load balancer and reverse proxy health check probes or ACME protocol challenge responders that create temporary token files in the webroot directory under the web server's running user, triggering file creation events with .html or .txt extensions

Google Chronicle / SecOps

yaral

rule T1056_003_web_portal_capture_file_drop {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1056.003 Web Portal Capture: web server process creating executable script files in externally-facing portal directories, indicating credential capture implant installation (e.g. IceApple OWA logger, WARPWIRE on Ivanti VPN)"
    reference = "https://attack.mitre.org/techniques/T1056/003/"
    severity = "HIGH"
    confidence = "MEDIUM"
    mitre_tactic = "Collection"
    mitre_technique = "T1056.003"
    mitre_subtechnique = "Web Portal Capture"
    platform = "Windows, Linux"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    $e.principal.process.file.full_path = /w3wp\.exe|iisexpress\.exe|httpd|nginx|apache2|tomcat|node|python|ruby|php-cgi/ nocase
    $e.target.file.full_path = /\\inetpub\\|\\wwwroot\\|\\webroot\\|\\owa\\|\\ecp\\|\\vpn\\|\\sslvpn\\|\\exchange\\|\/var\/www\/|\/opt\/web\/|\/usr\/share\/nginx/ nocase
    $e.target.file.full_path = /\.(aspx|asp|php|jsp|js|html|htm|config)$/ nocase

  condition:
    $e
}

rule T1056_003_web_portal_capture_shell_spawn {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1056.003 Web Portal Capture: web server process spawning a shell or script interpreter, indicating web shell execution or an active credential capture script running in web process context"
    reference = "https://attack.mitre.org/techniques/T1056/003/"
    severity = "CRITICAL"
    confidence = "HIGH"
    mitre_tactic = "Collection"
    mitre_technique = "T1056.003"
    mitre_subtechnique = "Web Portal Capture"
    platform = "Windows, Linux"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /w3wp\.exe|iisexpress\.exe|httpd|nginx|apache2/ nocase
    $e.target.process.file.full_path = /cmd\.exe|powershell\.exe|\/bin\/bash|\/bin\/sh|python3?|perl|whoami\.exe|net\.exe|certutil\.exe|bitsadmin\.exe|wscript\.exe|cscript\.exe/ nocase

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM (UDM) Chronicle ingestion via Windows Event Forwarding (Sysmon Event IDs 1 and 11 mapped to UDM) Chronicle ingestion via CrowdStrike Falcon, SentinelOne, or Carbon Black EDR telemetry mapped to UDM FILE_CREATION and PROCESS_LAUNCH event types

Required Tables

UDM event stream (event_type: FILE_CREATION) UDM event stream (event_type: PROCESS_LAUNCH)

False Positives

Legitimate web deployment automation (Ansible playbooks, Chef recipes, Puppet manifests) that apply application updates by writing portal script files through a temporary web server process context during change management windows
IIS application initialization module warm-up sequences that cause w3wp.exe to precompile ASPX views and spawn the ASP.NET compiler (csc.exe) as a child process, which may match the shell-spawn rule if compiler paths overlap with monitored interpreter patterns
Web application firewall inline agents or reverse proxy health monitors writing challenge response tokens or temporary diagnostic files to web-accessible directories as part of certificate renewal or availability checking workflows

CrowdStrike LogScale (CQL)

cql

#event_simpleName = /^(FileCreate|ProcessRollup2)$/
| case {
    #event_simpleName = "FileCreate"
      | test(TargetFileName = /\\inetpub\\|\\wwwroot\\|\\webroot\\|\\owa\\|\\ecp\\|\\vpn\\|\\sslvpn\\|\\exchange\\|\/var\/www\/|\/opt\/web\//i)
      | test(TargetFileName = /\.(aspx|asp|php|jsp|js|html|htm|config)$/i)
      | test(ImageFileName = /w3wp\.exe|iisexpress\.exe|httpd\.exe|nginx\.exe|apache2|php-cgi\.exe|tomcat/i)
      | DetectionType := "WebFileCreation";
    #event_simpleName = "ProcessRollup2"
      | test(ParentBaseFileName = /w3wp\.exe|iisexpress\.exe|httpd\.exe|nginx\.exe|apache2/i)
      | test(FileName = /cmd\.exe|powershell\.exe|bash|sh\.exe|python\.exe|python3|perl\.exe|whoami\.exe|net\.exe|certutil\.exe|bitsadmin\.exe|wscript\.exe|cscript\.exe/i)
      | DetectionType := "WebShellSpawn";
    #event_simpleName = "ProcessRollup2"
      | test(FileName = /w3wp\.exe|iisexpress\.exe/i)
      | test(CommandLine = /password|passwd|credential|username|login|auth|token|cookie|session/i)
      | DetectionType := "CredentialKeywordInWebProcess";
    * | drop()
  }
| groupBy(
    [ComputerName, DetectionType, FileName, ParentBaseFileName, TargetFileName, CommandLine, UserName],
    function=[
      count(as=EventCount),
      min(_time, as=FirstSeen),
      max(_time, as=LastSeen)
    ]
  )
| eval DurationMinutes = (LastSeen - FirstSeen) / 60000
| sort(EventCount, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR sensor (Falcon Complete or Falcon Insight) CrowdStrike LogScale / Next-Gen SIEM Falcon sensor telemetry events: FileCreate (file system activity), ProcessRollup2 (process execution with command line)

Required Tables

FileCreate ProcessRollup2

False Positives

Application deployment pipelines running under the IIS application pool identity (APPPOOL\AppName) that push updated ASPX or web.config files to the production wwwroot during a blue-green deployment or automated release, triggering FileCreate events from w3wp.exe with portal directory paths
ASP.NET dynamic view compilation where IIS worker processes write pre-compiled Razor view assemblies or temporary ASPX compilation artifacts to directories under the web root, and may spawn csc.exe (C# compiler) which could overlap with interpreter patterns in the WebShellSpawn branch if not excluded by path
Web server management control planes (Plesk, cPanel, DirectAdmin) that operate in the web server process context and legitimately create, modify, or execute scripts in managed web application directories as part of customer-facing hosting operations

Last updated: 2026-04-16 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1056.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Web Portal Capture

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Collection

Popular Detections