Detect Suspicious Commands Initiated by Webserver Processes
Id | fa2f7d8a-6726-465a-aa72-6f6e3d4c99d7 |
Rulename | Detect Suspicious Commands Initiated by Webserver Processes |
Description | This query was originally published in the threat analytics report, Operation Soft Cell. Operation Soft Cell is a series of campaigns targeting users’ call logs at telecommunications providers throughout the world. These attacks date from as early as 2012. Operation Soft Cell operators sometimes use legitimate web server processes to launch commands, especially for network discovery and user/owner discovery. The following query detects activity of this kind. Reference - https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers |
Severity | High |
Tactics | Execution DefenseEvasion Discovery |
Techniques | T1059 T1574 T1087 T1082 |
Required data connectors | MicrosoftThreatProtection |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Discovery/SuspiciousCommandInitiatedByWebServerProcess.yaml |
Version | 1.0.0 |
Arm template | fa2f7d8a-6726-465a-aa72-6f6e3d4c99d7.json |
// Suspicious commands launched by web server processes
DeviceProcessEvents
| where (((InitiatingProcessParentFileName in("w3wp.exe", "beasvc.exe",
"httpd.exe") or InitiatingProcessParentFileName startswith "tomcat")
or InitiatingProcessFileName in("w3wp.exe", "beasvc.exe", "httpd.exe") or
InitiatingProcessFileName startswith "tomcat"))
and FileName in~('cmd.exe', 'powershell.exe')
| where ProcessCommandLine contains '%temp%'
or ProcessCommandLine has 'wget'
or ProcessCommandLine has 'whoami'
or ProcessCommandLine has 'certutil'
or ProcessCommandLine has 'systeminfo'
or ProcessCommandLine has 'ping'
or ProcessCommandLine has 'ipconfig'
or ProcessCommandLine has 'timeout'
| summarize
take_any(FileName),
make_set(ProcessCommandLine, 100000),
take_any(InitiatingProcessFileName),
take_any(InitiatingProcessParentFileName)
by DeviceId, DeviceName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Discovery/SuspiciousCommandInitiatedByWebServerProcess.yaml
status: Available
id: fa2f7d8a-6726-465a-aa72-6f6e3d4c99d7
query: |
// Suspicious commands launched by web server processes
DeviceProcessEvents
| where (((InitiatingProcessParentFileName in("w3wp.exe", "beasvc.exe",
"httpd.exe") or InitiatingProcessParentFileName startswith "tomcat")
or InitiatingProcessFileName in("w3wp.exe", "beasvc.exe", "httpd.exe") or
InitiatingProcessFileName startswith "tomcat"))
and FileName in~('cmd.exe', 'powershell.exe')
| where ProcessCommandLine contains '%temp%'
or ProcessCommandLine has 'wget'
or ProcessCommandLine has 'whoami'
or ProcessCommandLine has 'certutil'
or ProcessCommandLine has 'systeminfo'
or ProcessCommandLine has 'ping'
or ProcessCommandLine has 'ipconfig'
or ProcessCommandLine has 'timeout'
| summarize
take_any(FileName),
make_set(ProcessCommandLine, 100000),
take_any(InitiatingProcessFileName),
take_any(InitiatingProcessParentFileName)
by DeviceId, DeviceName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
tags:
- Operation Soft Cell
- Webserver Process
- Discovery
description: |
This query was originally published in the threat analytics report, Operation Soft Cell.
Operation Soft Cell is a series of campaigns targeting users' call logs at telecommunications providers throughout the world. These attacks date from as early as 2012.
Operation Soft Cell operators sometimes use legitimate web server processes to launch commands, especially for network discovery and user/owner discovery. The following query detects activity of this kind.
Reference - https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers
name: Detect Suspicious Commands Initiated by Webserver Processes
relevantTechniques:
- T1059
- T1574
- T1087
- T1082
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: DeviceName
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: DnsDomain
triggerThreshold: 0
severity: High
requiredDataConnectors:
- dataTypes:
- DeviceProcessEvents
connectorId: MicrosoftThreatProtection
queryFrequency: 1h
queryPeriod: 1h
version: 1.0.0
kind: Scheduled
tactics:
- Execution
- DefenseEvasion
- Discovery
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fa2f7d8a-6726-465a-aa72-6f6e3d4c99d7')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fa2f7d8a-6726-465a-aa72-6f6e3d4c99d7')]",
"properties": {
"alertRuleTemplateName": "fa2f7d8a-6726-465a-aa72-6f6e3d4c99d7",
"customDetails": null,
"description": "This query was originally published in the threat analytics report, Operation Soft Cell.\nOperation Soft Cell is a series of campaigns targeting users' call logs at telecommunications providers throughout the world. These attacks date from as early as 2012.\nOperation Soft Cell operators sometimes use legitimate web server processes to launch commands, especially for network discovery and user/owner discovery. The following query detects activity of this kind.\nReference - https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\n",
"displayName": "Detect Suspicious Commands Initiated by Webserver Processes",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Discovery/SuspiciousCommandInitiatedByWebServerProcess.yaml",
"query": "// Suspicious commands launched by web server processes\nDeviceProcessEvents \n| where (((InitiatingProcessParentFileName in(\"w3wp.exe\", \"beasvc.exe\",\n \"httpd.exe\") or InitiatingProcessParentFileName startswith \"tomcat\")\n or InitiatingProcessFileName in(\"w3wp.exe\", \"beasvc.exe\", \"httpd.exe\") or\n InitiatingProcessFileName startswith \"tomcat\"))\n and FileName in~('cmd.exe', 'powershell.exe')\n| where ProcessCommandLine contains '%temp%'\n or ProcessCommandLine has 'wget'\n or ProcessCommandLine has 'whoami'\n or ProcessCommandLine has 'certutil'\n or ProcessCommandLine has 'systeminfo'\n or ProcessCommandLine has 'ping'\n or ProcessCommandLine has 'ipconfig'\n or ProcessCommandLine has 'timeout'\n| summarize\n take_any(FileName),\n make_set(ProcessCommandLine, 100000),\n take_any(InitiatingProcessFileName),\n take_any(InitiatingProcessParentFileName)\n by DeviceId, DeviceName\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion",
"Discovery",
"Execution"
],
"tags": [
"Operation Soft Cell",
"Webserver Process",
"Discovery"
],
"techniques": [
"T1059",
"T1082",
"T1087",
"T1574"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}