T1505

Server Software Component

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications include features that allow developers to write and install software or scripts to extend the main application's functionality. Adversaries exploit this by installing malicious server software components such as web shells (ASP/ASPX/PHP/JSP files granting remote command execution), SQL stored procedures (particularly xp_cmdshell for OS command execution), IIS native modules or ISAPI filters, Microsoft Exchange transport agents, terminal services DLLs, and vSphere Installation Bundles (VIBs). These components persist across reboots, blend into legitimate server traffic, and provide direct OS-level access under the context of the server process account — making them difficult to detect without proper process lineage monitoring and web root integrity controls.

Microsoft Sentinel / Defender

kusto

let WebServerProcesses = dynamic(["w3wp.exe","httpd.exe","nginx.exe","tomcat9.exe","tomcat.exe","java.exe","php-cgi.exe","perl.exe","python.exe","ruby.exe","node.exe","gunicorn","uvicorn"]);
let SuspiciousChildren = dynamic(["cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","regsvr32.exe","certutil.exe","bitsadmin.exe","net.exe","net1.exe","whoami.exe","hostname.exe","ipconfig.exe","systeminfo.exe","nltest.exe","arp.exe","curl.exe","wget.exe","ping.exe","tracert.exe","nslookup.exe","sc.exe"]);
let WebRootPaths = dynamic(["\\inetpub\\","\\wwwroot\\","\\htdocs\\","\\webapps\\","\\public_html\\","\\web\\content\\","/var/www/","/srv/www/","/usr/share/nginx/"]);
let WebShellExtensions = dynamic([".aspx",".asp",".php",".jsp",".jspx",".cfm",".shtml",".ashx",".asmx",".phtml"]);
// Signal 1: Web server process spawning command interpreters or OS recon tools (primary web shell execution indicator)
let WebShellExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (WebServerProcesses)
| where FileName has_any (SuspiciousChildren)
| extend DetectionType = "WebShell_ChildProcess"
| extend RiskLevel = case(
    FileName in~ ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe"), "Critical",
    FileName in~ ("rundll32.exe","regsvr32.exe","certutil.exe","bitsadmin.exe"), "High",
    "Medium"
  )
| project Timestamp, DeviceName, AccountName, DetectedFileName=FileName, ProcessCommandLine,
         ParentProcess=InitiatingProcessFileName, ParentCommandLine=InitiatingProcessCommandLine,
         FolderPath, DetectionType, RiskLevel;
// Signal 2: Suspicious script files written to web-accessible directories by non-deployment processes
let WebFileCreation = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in~ ("FileCreated","FileModified")
| where FolderPath has_any (WebRootPaths)
| where FileName has_any (WebShellExtensions)
| where InitiatingProcessFileName !in~ ("msiexec.exe","setup.exe","install.exe","devenv.exe","code.exe","explorer.exe","robocopy.exe","xcopy.exe","w3wp.exe")
| extend DetectionType = "SuspiciousWebFile_Written"
| extend RiskLevel = "High"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
         DetectedFileName=FileName, ProcessCommandLine=InitiatingProcessCommandLine,
         ParentProcess=InitiatingProcessFileName, ParentCommandLine=InitiatingProcessCommandLine,
         FolderPath, DetectionType, RiskLevel;
// Signal 3: Unauthorized IIS native module or ISAPI filter DLL registration via registry
let IISModuleRegistration = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in~ ("RegistryValueSet","RegistryKeyCreated")
| where RegistryKey has "SYSTEM\\CurrentControlSet\\Services\\W3SVC"
    or RegistryKey has "SOFTWARE\\Microsoft\\InetStp"
    or RegistryKey has "SYSTEM\\CurrentControlSet\\Services\\WAS"
| where RegistryValueData has ".dll"
| where InitiatingProcessFileName !in~ ("msiexec.exe","TrustedInstaller.exe","wusa.exe")
| extend DetectionType = "IIS_Module_Registered"
| extend RiskLevel = "High"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
         DetectedFileName=InitiatingProcessFileName, ProcessCommandLine=InitiatingProcessCommandLine,
         ParentProcess=InitiatingProcessParentFileName, ParentCommandLine=InitiatingProcessCommandLine,
         FolderPath=RegistryKey, DetectionType, RiskLevel;
// Combine all signals
union WebShellExecution, WebFileCreation, IISModuleRegistration
| sort by Timestamp desc

critical severity high confidence

Data Sources

Process: Process Creation File: File Creation Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents DeviceRegistryEvents

False Positives

Java application servers (Tomcat, JBoss, WebLogic) spawning java.exe child processes for legitimate scheduled tasks, diagnostics, or maintenance operations initiated through management interfaces
CI/CD pipeline agents deployed on web servers that legitimately invoke cmd.exe or PowerShell during automated build and deployment workflows — typically identifiable by consistent command line patterns and timing aligned with deployment schedules
Content management systems (WordPress, Drupal, Joomla) executing PHP scripts that invoke system utilities for image processing, PDF generation, or file archiving via exec() or shell_exec()
Web-based server administration panels (WHM/cPanel, Plesk, Webmin, DirectAdmin) that by design execute OS commands via web server worker processes as part of their core functionality
IIS application pool identity accounts running legitimate PowerShell deployment scripts triggered by authorized web-based deployment tools (Octopus Deploy, Azure DevOps release pipelines)
Developer workstations with IIS Express installed locally where IDEs (Visual Studio, VS Code) write files to web root directories during normal development and compilation workflows

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(
  (
    EventCode=1
    (
      ParentImage="*\\w3wp.exe" OR ParentImage="*\\httpd.exe" OR ParentImage="*\\nginx.exe"
      OR ParentImage="*\\tomcat*.exe" OR ParentImage="*\\java.exe" OR ParentImage="*\\php-cgi.exe"
      OR ParentImage="*\\perl.exe" OR ParentImage="*\\python.exe" OR ParentImage="*\\ruby.exe"
      OR ParentImage="*\\node.exe"
    )
    (
      Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe"
      OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe"
      OR Image="*\\rundll32.exe" OR Image="*\\regsvr32.exe" OR Image="*\\certutil.exe"
      OR Image="*\\net.exe" OR Image="*\\net1.exe" OR Image="*\\whoami.exe"
      OR Image="*\\systeminfo.exe" OR Image="*\\ipconfig.exe" OR Image="*\\hostname.exe"
      OR Image="*\\nltest.exe" OR Image="*\\curl.exe" OR Image="*\\wget.exe"
    )
  )
  OR
  (
    EventCode=11
    (
      TargetFilename="*\\inetpub\\*" OR TargetFilename="*\\wwwroot\\*"
      OR TargetFilename="*\\htdocs\\*" OR TargetFilename="*\\webapps\\*"
      OR TargetFilename="*\\public_html\\*" OR TargetFilename="*/var/www/*"
    )
    (
      TargetFilename="*.aspx" OR TargetFilename="*.asp" OR TargetFilename="*.php"
      OR TargetFilename="*.jsp" OR TargetFilename="*.jspx" OR TargetFilename="*.cfm"
      OR TargetFilename="*.ashx" OR TargetFilename="*.asmx" OR TargetFilename="*.phtml"
    )
    NOT (
      Image="*\\msiexec.exe" OR Image="*\\setup.exe" OR Image="*\\devenv.exe"
      OR Image="*\\code.exe" OR Image="*\\explorer.exe" OR Image="*\\robocopy.exe"
    )
  )
  OR
  (
    EventCode=13
    (
      TargetObject="*\\CurrentControlSet\\Services\\W3SVC*"
      OR TargetObject="*\\SOFTWARE\\Microsoft\\InetStp*"
      OR TargetObject="*\\CurrentControlSet\\Services\\WAS*"
    )
    Details="*.dll"
    NOT (Image="*\\msiexec.exe" OR Image="*\\TrustedInstaller.exe" OR Image="*\\wusa.exe")
  )
)
| eval DetectionType=case(
    EventCode=1, "WebShell_ChildProcess",
    EventCode=11, "SuspiciousWebFile_Written",
    EventCode=13, "IIS_Module_Registered",
    true(), "Unknown"
  )
| eval SeverityRating=case(
    EventCode=1 AND match(Image, "(?i)(cmd|powershell|pwsh|wscript|cscript|mshta)\.exe"), "Critical",
    EventCode=1, "High",
    EventCode=11, "High",
    EventCode=13, "High",
    true(), "Medium"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, TargetFilename, TargetObject, Details, DetectionType, SeverityRating
| sort - _time

critical severity high confidence

Data Sources

Process: Process Creation File: File Creation Windows Registry: Windows Registry Key Modification Sysmon Event ID 1 Sysmon Event ID 11 Sysmon Event ID 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Java application servers spawning legitimate child java.exe processes for internal maintenance, garbage collection triggers, or management interface operations
CI/CD deployment agents running on web servers that legitimately invoke cmd.exe or PowerShell during automated deployment pipelines — identifiable by consistent command patterns aligned with deployment windows
CMS platforms (WordPress via PHP, Drupal) invoking system utilities for media processing or plugin operations through exec() or shell_exec() system calls
Web-based server administration panels (cPanel, Plesk, Webmin) that by design execute OS commands through web server worker processes as part of their administration functionality
Development environments where IIS is installed locally and IDEs or deployment scripts write files to wwwroot during development workflows
Legitimate IIS module installations by authorized administrators using msiexec.exe or TrustedInstaller — these are excluded by the NOT clause but verify the DLL path is from an approved vendor

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and
   process.parent.name in ("w3wp.exe","httpd.exe","nginx.exe","tomcat9.exe","tomcat.exe","java.exe","php-cgi.exe","perl.exe","python.exe","ruby.exe","node.exe","gunicorn","uvicorn") and
   process.name in ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","regsvr32.exe","certutil.exe","bitsadmin.exe","net.exe","net1.exe","whoami.exe","hostname.exe","ipconfig.exe","systeminfo.exe","nltest.exe","arp.exe","curl.exe","wget.exe","ping.exe","tracert.exe","nslookup.exe","sc.exe")]
  [any where true]

OR

any where (
  (event.category == "file" and event.type in ("creation","change") and
   file.path : ("*\\inetpub\\*","*\\wwwroot\\*","*\\htdocs\\*","*\\webapps\\*","*\\public_html\\*","/var/www/*","/srv/www/*","/usr/share/nginx/*") and
   file.extension in ("aspx","asp","php","jsp","jspx","cfm","shtml","ashx","asmx","phtml") and
   not process.name in ("msiexec.exe","setup.exe","install.exe","devenv.exe","code.exe","explorer.exe","robocopy.exe","xcopy.exe","w3wp.exe"))

  OR

  (event.category == "registry" and event.type in ("creation","change") and
   registry.path : ("*\\SYSTEM\\CurrentControlSet\\Services\\W3SVC*","*\\SOFTWARE\\Microsoft\\InetStp*","*\\SYSTEM\\CurrentControlSet\\Services\\WAS*") and
   registry.data.strings : "*.dll" and
   not process.name in ("msiexec.exe","TrustedInstaller.exe","wusa.exe"))
)

high severity high confidence

Data Sources

Elastic Endpoint Security Windows Sysmon (via Winlogbeat) Auditd (Linux)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* logs-endpoint.events.registry-* winlogbeat-*

False Positives

Legitimate web application deployments via CI/CD pipelines (e.g., Octopus Deploy, Azure DevOps agents) that copy .php or .aspx files to web roots — exclude by deployment agent process names and scheduled deployment windows
Web server processes (w3wp.exe, java.exe) spawning cmd.exe or powershell.exe for health check scripts or monitoring agents legitimately configured by the operations team
IIS module registration during legitimate Windows Updates, .NET Framework upgrades, or third-party web application installer packages (msiexec.exe spawning wusa.exe) — already filtered but edge cases exist with custom installers

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  CATEGORYNAME(category) AS category_name,
  QIDNAME(qid) AS event_name,
  username,
  sourceip,
  hostname,
  "ParentImage",
  "CommandLine",
  "Image",
  "TargetFilename",
  "TargetObject",
  "Details",
  CASE
    WHEN LOWER("Image") LIKE '%cmd.exe' OR LOWER("Image") LIKE '%powershell.exe'
      OR LOWER("Image") LIKE '%pwsh.exe' OR LOWER("Image") LIKE '%wscript.exe'
      OR LOWER("Image") LIKE '%cscript.exe' OR LOWER("Image") LIKE '%mshta.exe' THEN 'Critical'
    WHEN "EventCode" IN ('1') THEN 'High'
    WHEN "EventCode" IN ('11','13') THEN 'High'
    ELSE 'Medium'
  END AS severity_rating,
  CASE
    WHEN "EventCode" = '1' THEN 'WebShell_ChildProcess'
    WHEN "EventCode" = '11' THEN 'SuspiciousWebFile_Written'
    WHEN "EventCode" = '13' THEN 'IIS_Module_Registered'
    ELSE 'Unknown'
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
  AND starttime > NOW() - 86400 SECONDS
  AND (
    -- Signal 1: Web server spawning suspicious child processes
    (
      "EventCode" = '1'
      AND (
        LOWER("ParentImage") LIKE '%w3wp.exe' OR LOWER("ParentImage") LIKE '%httpd.exe'
        OR LOWER("ParentImage") LIKE '%nginx.exe' OR LOWER("ParentImage") LIKE '%tomcat%'
        OR LOWER("ParentImage") LIKE '%java.exe' OR LOWER("ParentImage") LIKE '%php-cgi.exe'
        OR LOWER("ParentImage") LIKE '%perl.exe' OR LOWER("ParentImage") LIKE '%python.exe'
        OR LOWER("ParentImage") LIKE '%ruby.exe' OR LOWER("ParentImage") LIKE '%node.exe'
      )
      AND (
        LOWER("Image") LIKE '%cmd.exe' OR LOWER("Image") LIKE '%powershell.exe'
        OR LOWER("Image") LIKE '%pwsh.exe' OR LOWER("Image") LIKE '%wscript.exe'
        OR LOWER("Image") LIKE '%cscript.exe' OR LOWER("Image") LIKE '%mshta.exe'
        OR LOWER("Image") LIKE '%rundll32.exe' OR LOWER("Image") LIKE '%regsvr32.exe'
        OR LOWER("Image") LIKE '%certutil.exe' OR LOWER("Image") LIKE '%net.exe'
        OR LOWER("Image") LIKE '%net1.exe' OR LOWER("Image") LIKE '%whoami.exe'
        OR LOWER("Image") LIKE '%systeminfo.exe' OR LOWER("Image") LIKE '%nltest.exe'
        OR LOWER("Image") LIKE '%curl.exe' OR LOWER("Image") LIKE '%wget.exe'
      )
    )
    OR
    -- Signal 2: Web shell file written to web root
    (
      "EventCode" = '11'
      AND (
        LOWER("TargetFilename") LIKE '%\\inetpub\\%' OR LOWER("TargetFilename") LIKE '%\\wwwroot\\%'
        OR LOWER("TargetFilename") LIKE '%\\htdocs\\%' OR LOWER("TargetFilename") LIKE '%\\webapps\\%'
        OR LOWER("TargetFilename") LIKE '%\\public_html\\%' OR LOWER("TargetFilename") LIKE '%/var/www/%'
      )
      AND (
        LOWER("TargetFilename") LIKE '%.aspx' OR LOWER("TargetFilename") LIKE '%.asp'
        OR LOWER("TargetFilename") LIKE '%.php' OR LOWER("TargetFilename") LIKE '%.jsp'
        OR LOWER("TargetFilename") LIKE '%.jspx' OR LOWER("TargetFilename") LIKE '%.cfm'
        OR LOWER("TargetFilename") LIKE '%.ashx' OR LOWER("TargetFilename") LIKE '%.asmx'
        OR LOWER("TargetFilename") LIKE '%.phtml'
      )
      AND LOWER("Image") NOT LIKE '%msiexec.exe'
      AND LOWER("Image") NOT LIKE '%setup.exe'
      AND LOWER("Image") NOT LIKE '%devenv.exe'
      AND LOWER("Image") NOT LIKE '%code.exe'
      AND LOWER("Image") NOT LIKE '%explorer.exe'
      AND LOWER("Image") NOT LIKE '%robocopy.exe'
    )
    OR
    -- Signal 3: IIS module registered via registry
    (
      "EventCode" = '13'
      AND (
        LOWER("TargetObject") LIKE '%\\currentcontrolset\\services\\w3svc%'
        OR LOWER("TargetObject") LIKE '%\\software\\microsoft\\inetstp%'
        OR LOWER("TargetObject") LIKE '%\\currentcontrolset\\services\\was%'
      )
      AND LOWER("Details") LIKE '%.dll'
      AND LOWER("Image") NOT LIKE '%msiexec.exe'
      AND LOWER("Image") NOT LIKE '%trustedinstaller.exe'
      AND LOWER("Image") NOT LIKE '%wusa.exe'
    )
  )
ORDER BY starttime DESC

high severity high confidence

Data Sources

Sysmon (via Windows Event Forwarding to QRadar) IBM QRadar SIEM

Required Tables

events

False Positives

Legitimate web application frameworks (Spring Boot, ASP.NET Core) that spawn Java or .NET runtime processes during startup or health checks, which may trigger the parent-child process signal
Automated deployment tools writing .php or .aspx files to web directories from build agents — exclude by deployer process names (jenkins.exe, octopus.exe, deploy.exe) in the Image field filter
IIS module registration from trusted Microsoft Windows Update components using wusa.exe or update packages with custom binary names not in the exclusion list — review TargetObject and Details fields for context

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="sysmon" OR _sourceCategory="endpoint/sysmon")
| parse "<EventID>*</EventID>" as event_id nodrop
| parse "<Data Name='Image'>*</Data>" as image nodrop
| parse "<Data Name='ParentImage'>*</Data>" as parent_image nodrop
| parse "<Data Name='CommandLine'>*</Data>" as command_line nodrop
| parse "<Data Name='ParentCommandLine'>*</Data>" as parent_command_line nodrop
| parse "<Data Name='TargetFilename'>*</Data>" as target_filename nodrop
| parse "<Data Name='TargetObject'>*</Data>" as target_object nodrop
| parse "<Data Name='Details'>*</Data>" as registry_details nodrop
| parse "<Data Name='User'>*</Data>" as event_user nodrop
| parse "<Data Name='Computer'>*</Data>" as computer nodrop
| where event_id in ("1","11","13")
| where
  // Signal 1: Web server spawning suspicious child process
  (
    event_id = "1"
    and (
      parent_image matches "*w3wp.exe" or parent_image matches "*httpd.exe"
      or parent_image matches "*nginx.exe" or parent_image matches "*tomcat*"
      or parent_image matches "*java.exe" or parent_image matches "*php-cgi.exe"
      or parent_image matches "*perl.exe" or parent_image matches "*python.exe"
      or parent_image matches "*ruby.exe" or parent_image matches "*node.exe"
    )
    and (
      image matches "*cmd.exe" or image matches "*powershell.exe"
      or image matches "*pwsh.exe" or image matches "*wscript.exe"
      or image matches "*cscript.exe" or image matches "*mshta.exe"
      or image matches "*rundll32.exe" or image matches "*regsvr32.exe"
      or image matches "*certutil.exe" or image matches "*net.exe"
      or image matches "*net1.exe" or image matches "*whoami.exe"
      or image matches "*systeminfo.exe" or image matches "*nltest.exe"
      or image matches "*curl.exe" or image matches "*wget.exe"
      or image matches "*hostname.exe" or image matches "*ipconfig.exe"
    )
  )
  or
  // Signal 2: Suspicious web file written to web root directories
  (
    event_id = "11"
    and (
      target_filename matches "*\\inetpub\\*" or target_filename matches "*\\wwwroot\\*"
      or target_filename matches "*\\htdocs\\*" or target_filename matches "*\\webapps\\*"
      or target_filename matches "*\\public_html\\*" or target_filename matches "*/var/www/*"
      or target_filename matches "*/srv/www/*" or target_filename matches "*/usr/share/nginx/*"
    )
    and (
      target_filename matches "*.aspx" or target_filename matches "*.asp"
      or target_filename matches "*.php" or target_filename matches "*.jsp"
      or target_filename matches "*.jspx" or target_filename matches "*.cfm"
      or target_filename matches "*.ashx" or target_filename matches "*.asmx"
      or target_filename matches "*.phtml" or target_filename matches "*.shtml"
    )
    and not (
      image matches "*msiexec.exe" or image matches "*setup.exe"
      or image matches "*devenv.exe" or image matches "*code.exe"
      or image matches "*explorer.exe" or image matches "*robocopy.exe"
      or image matches "*xcopy.exe" or image matches "*w3wp.exe"
    )
  )
  or
  // Signal 3: IIS native module / ISAPI filter DLL registered via registry
  (
    event_id = "13"
    and (
      target_object matches "*\\CurrentControlSet\\Services\\W3SVC*"
      or target_object matches "*\\SOFTWARE\\Microsoft\\InetStp*"
      or target_object matches "*\\CurrentControlSet\\Services\\WAS*"
    )
    and registry_details matches "*.dll"
    and not (
      image matches "*msiexec.exe" or image matches "*TrustedInstaller.exe"
      or image matches "*wusa.exe"
    )
  )
| eval detection_type = if(event_id = "1", "WebShell_ChildProcess",
    if(event_id = "11", "SuspiciousWebFile_Written",
    if(event_id = "13", "IIS_Module_Registered", "Unknown")))
| eval severity_rating = if(
    event_id = "1" and (image matches "*cmd.exe" or image matches "*powershell.exe"
      or image matches "*pwsh.exe" or image matches "*wscript.exe"
      or image matches "*cscript.exe" or image matches "*mshta.exe"), "Critical",
    if(event_id in ("1","11","13"), "High", "Medium"))
| fields _messageTime, computer, event_user, image, command_line, parent_image, parent_command_line, target_filename, target_object, registry_details, detection_type, severity_rating
| sort by _messageTime desc

high severity high confidence

Data Sources

Sysmon logs via Sumo Logic Installed Collector Windows Event Forwarding

Required Tables

Sumo Logic Continuous Intelligence (CIP) — Sysmon source category

False Positives

Software deployment automation (Ansible, Chef, Puppet) writing configuration files with web-compatible extensions (.php, .asp) to web directories as part of scheduled maintenance — add known deployment tool process names to the exclusion list
Node.js or Python development environments running on workstations with web server processes (node.exe, python.exe) spawning cmd.exe for build tasks or test runners — scope detection to servers only using computer name patterns or asset group filters
Legitimate IIS tuning or performance optimization tooling that modifies W3SVC registry keys during benchmarking or configuration hardening — cross-reference with change management records during investigations

Google Chronicle / SecOps

yaral

rule t1505_server_software_component {
  meta:
    author = "df00tech"
    description = "Detects T1505 Server Software Component abuse via web shell child process execution, suspicious web file creation in web roots, or unauthorized IIS module DLL registration via registry"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1505"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1505/"
    severity = "HIGH"
    priority = "HIGH"

  events:
    // Signal 1: Web server spawning suspicious child processes (web shell execution)
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        $e1.principal.process.file.full_path = /(?i)(w3wp\.exe|httpd\.exe|nginx\.exe|tomcat[0-9]*\.exe|java\.exe|php-cgi\.exe|perl\.exe|python\.exe|ruby\.exe|node\.exe|gunicorn|uvicorn)$/
      )
      and (
        $e1.target.process.file.full_path = /(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|net\.exe|net1\.exe|whoami\.exe|hostname\.exe|ipconfig\.exe|systeminfo\.exe|nltest\.exe|arp\.exe|curl\.exe|wget\.exe|ping\.exe|tracert\.exe|nslookup\.exe|sc\.exe)$/
      )
    )
    or
    // Signal 2: Suspicious web shell file written to web-accessible directories
    (
      $e1.metadata.event_type = "FILE_CREATION"
      and (
        $e1.target.file.full_path = /(?i)(\\inetpub\\|\\wwwroot\\|\\htdocs\\|\\webapps\\|\\public_html\\|\/var\/www\/|\/srv\/www\/|\/usr\/share\/nginx/)/
      )
      and (
        $e1.target.file.full_path = /(?i)\.(aspx|asp|php|jsp|jspx|cfm|shtml|ashx|asmx|phtml)$/
      )
      and not (
        $e1.principal.process.file.full_path = /(?i)(msiexec\.exe|setup\.exe|install\.exe|devenv\.exe|code\.exe|explorer\.exe|robocopy\.exe|xcopy\.exe|w3wp\.exe)$/
      )
    )
    or
    // Signal 3: IIS native module or ISAPI filter DLL registered via registry
    (
      $e1.metadata.event_type = "REGISTRY_MODIFICATION"
      and (
        $e1.target.registry.registry_key = /(?i)(SYSTEM\\CurrentControlSet\\Services\\W3SVC|SOFTWARE\\Microsoft\\InetStp|SYSTEM\\CurrentControlSet\\Services\\WAS)/
      )
      and $e1.target.registry.registry_value_data = /(?i)\.dll/
      and not (
        $e1.principal.process.file.full_path = /(?i)(msiexec\.exe|TrustedInstaller\.exe|wusa\.exe)$/
      )
    )

  condition:
    $e1
}

high severity high confidence

Data Sources

Chronicle SIEM with Windows Sysmon UDM ingestion Chronicle Endpoint Detection Microsoft Windows Event Logs (via Chronicle forwarder)

Required Tables

UDM Events — PROCESS_LAUNCH, FILE_CREATION, REGISTRY_MODIFICATION

False Positives

Java application servers (Tomcat, JBoss, WebSphere) that legitimately spawn java.exe child processes for background job execution, JVM monitoring agents, or JMX remote management — exclude by verifying child process command-line arguments reference known application class names
Web content management system (CMS) plugins or modules (WordPress, Drupal, Joomla) that write .php files to web directories during plugin installations performed by the web server process itself — add w3wp.exe or apache.exe to Signal 2 exclusions for known CMS directories
IIS URL Rewrite Module, ARR (Application Request Routing), or other legitimate Microsoft IIS extensions that modify W3SVC registry keys during initial setup or version upgrades via custom installer binaries not matching standard exclusion patterns

CrowdStrike LogScale (CQL)

cql

// Signal 1: Web server spawning suspicious child processes (web shell execution)
(
  #event_simpleName = "ProcessRollup2"
  | ParentBaseFileName = /(?i)^(w3wp|httpd|nginx|tomcat[0-9]*|java|php-cgi|perl|python[0-9.]*|ruby|node|gunicorn|uvicorn)\.exe$/i
  | FileName = /(?i)^(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|net|net1|whoami|hostname|ipconfig|systeminfo|nltest|arp|curl|wget|ping|tracert|nslookup|sc)\.exe$/i
  | DetectionType := "WebShell_ChildProcess"
  | SeverityRating := if(FileName = /(?i)^(cmd|powershell|pwsh|wscript|cscript|mshta)\.exe$/, "Critical", "High")
)

UNION

// Signal 2: Web shell file written to web-accessible directories
(
  #event_simpleName = "NewExecutableWritten"
    OR #event_simpleName = "NewScriptWritten"
    OR #event_simpleName = "PeFileWritten"
  | TargetFileName = /(?i)(\\inetpub\\|\\wwwroot\\|\\htdocs\\|\\webapps\\|\\public_html\\|\/var\/www\/|\/srv\/www\/|\/usr\/share\/nginx/)/
  | TargetFileName = /(?i)\.(aspx|asp|php|jsp|jspx|cfm|shtml|ashx|asmx|phtml)$/
  | not(FileName = /(?i)^(msiexec|setup|install|devenv|code|explorer|robocopy|xcopy|w3wp)\.exe$/)
  | DetectionType := "SuspiciousWebFile_Written"
  | SeverityRating := "High"
)

UNION

// Signal 3: IIS module DLL registered via registry modification
(
  #event_simpleName = "RegGenericValueUpdate"
    OR #event_simpleName = "RegKeyCreate"
  | RegObjectName = /(?i)(SYSTEM\\CurrentControlSet\\Services\\W3SVC|SOFTWARE\\Microsoft\\InetStp|SYSTEM\\CurrentControlSet\\Services\\WAS)/
  | RegStringValue = /(?i)\.dll$/
  | not(FileName = /(?i)^(msiexec|TrustedInstaller|wusa)\.exe$/)
  | DetectionType := "IIS_Module_Registered"
  | SeverityRating := "High"
)

| groupBy([ComputerName, FileName, CommandLine, ParentBaseFileName, TargetFileName, RegObjectName, RegStringValue, DetectionType, SeverityRating], function=count(aid, as=EventCount))
| sort(SeverityRating, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Agent (EDR) CrowdStrike Falcon Data Replicator (FDR) Humio/LogScale SIEM

Required Tables

ProcessRollup2 NewExecutableWritten NewScriptWritten PeFileWritten RegGenericValueUpdate RegKeyCreate

False Positives

Python or Node.js processes used by development tooling (Jupyter notebooks, VS Code extensions, npm scripts) on developer workstations that are also running lightweight local web servers — scope alerts to production server asset groups using ComputerName patterns or GroupingTags
Java-based application monitoring agents (Dynatrace OneAgent, AppDynamics, New Relic) that inject into java.exe processes and may appear as child process spawns under web server parents — whitelist known APM agent binary paths in the FileName exclusion logic
Legitimate web application self-update mechanisms or content publishing workflows (Sitecore, Umbraco, SharePoint) that write .aspx or .ashx files to IIS web roots using the application pool identity process (w3wp.exe) — add w3wp.exe to Signal 2 process exclusions with path-scoped exceptions for known CMS update directories

Last updated: 2026-04-20 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1505 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Server Software Component

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (6)

Same Tactic: Persistence

Popular Detections