We are getting a detection for Webshell - Commands Launched By Web Server. I’ve traced this back to an application that we use running SystemInfo when a “Runtime Environment” option is used. I’m not sure the best way to create an exception for this without also creating an exception if someone were to use this for reconnaissance purposes. My current thought is to only allow it if it’s the same service account and specific server that it’s been run on, but would that service account be used no matter what if it’s what’s being used to run Tomcat?
Hey @blong,
Interesting issue, I’m not sure how that service account operates within your environment, but if you go the add an exception for the service account and asset for the alert, have you thought about adding that service account to the watchlist?
Thanks for the reply. Can you help me understand how adding the user to the watchlist will help? All I can find in documentation is that adding a user “will enable some alerts and lower the threshold for others,” but it doesn’t say which alerts those are.
@blong as for your original request looking at the Rule Logic tab it shows what we need to detect this behavior
from(
entry_type = “process_start_event”
)
where(
os_type = NOCASE(“windows”)
AND process.cmd_line ICONTAINS-ANY [
“whoami”,
"net user ",
"net group ",
“systeminfo”,
“&cd&echo”,
“cd /d”
]
AND parent_process.name ICONTAINS-ANY [
“apache”,
“tomcat”,
“w3wp.exe”,
“php-cgi.exe”,
“nginx.exe”,
“httpd.exe”
]
)
So this tells us a parent process from the above list has to execute one of the cmd_line invocations listed. If this alert is only firing for one of the above commands on a regular basis, you could say process.cmd_line=“net group” and parent_process.name=apache as well as user=“my service account” and it would stop the rule firing for that particular action.
Thanks, it looks like I’ll have to compromise a bit. I was hoping for a way to stop the alerts when it’s run from the application and still get the alert if it is run in a different manner. Unfortunately, the process tree doesn’t go deep enough to accomplish that.