Detect Web Shell in Sumo Logic CSE
Adversaries install web shells on compromised web servers to maintain persistent access. A web shell is a script (PHP, ASP, ASPX, JSP, etc.) that provides command execution, file upload/download, and network proxying capabilities via HTTP. Web shells are used by dozens of threat groups including APT28, APT39, HAFNIUM, OilRig, GALLIUM, and Sandworm. China Chopper and P.A.S. Webshell are widely-used examples. IcedID, WIREFIRE, and BUSHWALK target specific appliances (Ivanti VPN).
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1505 Server Software Component
- Sub-technique
- T1505.003 Web Shell
- Canonical reference
- https://attack.mitre.org/techniques/T1505/003/
Sumo Detection Query
// Web Shell Detection — T1505.003
// Branch 1: Web server spawning command interpreters (Sysmon EventCode 1)
(_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*)
| parse "EventCode=*" as event_code nodrop
| parse "ParentImage=*\n" as parent_image nodrop
| parse "Image=*\n" as process_image nodrop
| parse "CommandLine=*\n" as command_line nodrop
| parse "Computer=*\n" as host nodrop
| parse "User=*\n" as username nodrop
| where event_code = "1"
| where parent_image matches /(w3wp|httpd|nginx|php|php-cgi|tomcat|catalina|java|javaw)\.exe/
| where process_image matches /(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|whoami|net|ipconfig|systeminfo|wmic|nltest|netstat|ping|nslookup)\.exe/
| "WebServer_Spawned_Shell" as detection_type
| 10 as risk_score
| fields _messagetime, host, username, parent_image, process_image, command_line, detection_type, risk_score
// Branch 2: Web shell file drop (Sysmon EventCode 11)
// Run separately and union results
(_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*)
| parse "EventCode=*" as event_code nodrop
| parse "TargetFilename=*\n" as target_filename nodrop
| parse "Image=*\n" as process_image nodrop
| parse "Computer=*\n" as host nodrop
| parse "User=*\n" as username nodrop
| where event_code = "11"
| where target_filename matches /(\\inetpub\\|\\wwwroot\\|\\htdocs\\|\\www\\|\\webapps\\|\/var\/www\/|\/public_html\/)/
| where target_filename matches /\.(asp|aspx|ashx|asmx|php|php5|jsp|jspx|cfm|shtml|phtml)$/
| where !(process_image matches /(w3wp|httpd|nginx|php|msdeploy|deploy|devenv)\.exe/)
| "WebShell_File_Drop" as detection_type
| 8 as risk_score
| fields _messagetime, host, username, process_image, target_filename, detection_type, risk_score
// Branch 3: Web server external network connection (Sysmon EventCode 3)
(_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*)
| parse "EventCode=*" as event_code nodrop
| parse "Image=*\n" as process_image nodrop
| parse "DestinationIp=*\n" as dest_ip nodrop
| parse "DestinationPort=*\n" as dest_port nodrop
| parse "Computer=*\n" as host nodrop
| parse "User=*\n" as username nodrop
| where event_code = "3"
| where process_image matches /(w3wp|php|php-cgi|httpd|nginx)\.exe/
| where !(dest_ip matches /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/)
| where dest_port != "80" and dest_port != "443" and dest_port != "8080" and dest_port != "8443"
| "WebServer_External_Connection" as detection_type
| 7 as risk_score
| fields _messagetime, host, username, process_image, dest_ip, dest_port, detection_type, risk_scoreThree-branch Sumo Logic detection for web shell activity using Sysmon event logs. Branch 1 detects web server processes spawning OS command interpreters (Sysmon Event 1). Branch 2 detects suspicious script file creation in web-accessible directories by non-deployment processes (Sysmon Event 11). Branch 3 detects web server processes establishing outbound connections to external IPs on non-HTTP ports (Sysmon Event 3). Each branch assigns a risk_score for analyst triage prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Content management systems (WordPress, Drupal, Joomla) that write PHP plugin or theme files to web directories during legitimate plugin installation or auto-update processes
- Development web servers where developers actively write and test PHP/ASP scripts directly in the web root through IDE integrations or FTP/SFTP clients
- Load balancer health check mechanisms or APM agents that run as web server child processes and make outbound connections to monitoring infrastructure on non-standard ports
Other platforms for T1505.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simple ASPX Web Shell Drop (Test Environment Only)
Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\df00tech-test.aspx. When web request triggers the shell: Sysmon EventCode 1 with ParentImage=w3wp.exe and Image=cmd.exe.
- Test 2Simulate Web Shell Command Execution (w3wp Spawning cmd)
Expected signal: Sysmon EventCode 1: cmd.exe spawned by powershell.exe. In a real web shell scenario, ParentImage would be w3wp.exe.
- Test 3China Chopper Web Shell Pattern Check
Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\df00tech-cc-test.php and Image=powershell.exe.
References (6)
- https://attack.mitre.org/techniques/T1505/003/
- https://github.com/nsacyber/Mitigating-Web-Shells
- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
- https://www.us-cert.gov/ncas/alerts/TA15-314A
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1505.003 including response playbook, investigation guide, and atomic red team tests.