Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Detect Suspicious Commands Initiated by Webserver Processes

Back
Idfa2f7d8a-6726-465a-aa72-6f6e3d4c99d7
RulenameDetect Suspicious Commands Initiated by Webserver Processes
DescriptionThis query was originally published in the threat analytics report, Operation Soft Cell.

Operation Soft Cell is a series of campaigns targeting users’ call logs at telecommunications providers throughout the world. These attacks date from as early as 2012.

Operation Soft Cell operators sometimes use legitimate web server processes to launch commands, especially for network discovery and user/owner discovery. The following query detects activity of this kind.

Reference - https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers
SeverityHigh
TacticsExecution
DefenseEvasion
Discovery
TechniquesT1059
T1574
T1087
T1082
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Discovery/SuspiciousCommandInitiatedByWebServerProcess.yaml
Version1.0.0
Arm templatefa2f7d8a-6726-465a-aa72-6f6e3d4c99d7.json
Deploy To Azure
// Suspicious commands launched by web server processes
DeviceProcessEvents 
| where (((InitiatingProcessParentFileName in("w3wp.exe", "beasvc.exe",
    "httpd.exe") or InitiatingProcessParentFileName startswith "tomcat")
    or InitiatingProcessFileName in("w3wp.exe", "beasvc.exe", "httpd.exe") or
    InitiatingProcessFileName startswith "tomcat"))
    and FileName in~('cmd.exe', 'powershell.exe')
| where ProcessCommandLine contains '%temp%'
    or ProcessCommandLine has 'wget'
    or ProcessCommandLine has 'whoami'
    or ProcessCommandLine has 'certutil'
    or ProcessCommandLine has 'systeminfo'
    or ProcessCommandLine has 'ping'
    or ProcessCommandLine has 'ipconfig'
    or ProcessCommandLine has 'timeout'
| summarize
    take_any(FileName),
    make_set(ProcessCommandLine, 100000),
    take_any(InitiatingProcessFileName),
    take_any(InitiatingProcessParentFileName)
    by DeviceId, DeviceName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
name: Detect Suspicious Commands Initiated by Webserver Processes
version: 1.0.0
severity: High
queryFrequency: 1h
triggerOperator: gt
tags:
- Operation Soft Cell
- Webserver Process
- Discovery
relevantTechniques:
- T1059
- T1574
- T1087
- T1082
status: Available
description: |
  This query was originally published in the threat analytics report, Operation Soft Cell.
  Operation Soft Cell is a series of campaigns targeting users' call logs at telecommunications providers throughout the world. These attacks date from as early as 2012.
  Operation Soft Cell operators sometimes use legitimate web server processes to launch commands, especially for network discovery and user/owner discovery. The following query detects activity of this kind.
  Reference - https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Discovery/SuspiciousCommandInitiatedByWebServerProcess.yaml
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
  entityType: Host
tactics:
- Execution
- DefenseEvasion
- Discovery
queryPeriod: 1h
query: |
  // Suspicious commands launched by web server processes
  DeviceProcessEvents 
  | where (((InitiatingProcessParentFileName in("w3wp.exe", "beasvc.exe",
      "httpd.exe") or InitiatingProcessParentFileName startswith "tomcat")
      or InitiatingProcessFileName in("w3wp.exe", "beasvc.exe", "httpd.exe") or
      InitiatingProcessFileName startswith "tomcat"))
      and FileName in~('cmd.exe', 'powershell.exe')
  | where ProcessCommandLine contains '%temp%'
      or ProcessCommandLine has 'wget'
      or ProcessCommandLine has 'whoami'
      or ProcessCommandLine has 'certutil'
      or ProcessCommandLine has 'systeminfo'
      or ProcessCommandLine has 'ping'
      or ProcessCommandLine has 'ipconfig'
      or ProcessCommandLine has 'timeout'
  | summarize
      take_any(FileName),
      make_set(ProcessCommandLine, 100000),
      take_any(InitiatingProcessFileName),
      take_any(InitiatingProcessParentFileName)
      by DeviceId, DeviceName
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
kind: Scheduled
triggerThreshold: 0
id: fa2f7d8a-6726-465a-aa72-6f6e3d4c99d7
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fa2f7d8a-6726-465a-aa72-6f6e3d4c99d7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fa2f7d8a-6726-465a-aa72-6f6e3d4c99d7')]",
      "properties": {
        "alertRuleTemplateName": "fa2f7d8a-6726-465a-aa72-6f6e3d4c99d7",
        "customDetails": null,
        "description": "This query was originally published in the threat analytics report, Operation Soft Cell.\nOperation Soft Cell is a series of campaigns targeting users' call logs at telecommunications providers throughout the world. These attacks date from as early as 2012.\nOperation Soft Cell operators sometimes use legitimate web server processes to launch commands, especially for network discovery and user/owner discovery. The following query detects activity of this kind.\nReference - https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers\n",
        "displayName": "Detect Suspicious Commands Initiated by Webserver Processes",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Discovery/SuspiciousCommandInitiatedByWebServerProcess.yaml",
        "query": "// Suspicious commands launched by web server processes\nDeviceProcessEvents \n| where (((InitiatingProcessParentFileName in(\"w3wp.exe\", \"beasvc.exe\",\n    \"httpd.exe\") or InitiatingProcessParentFileName startswith \"tomcat\")\n    or InitiatingProcessFileName in(\"w3wp.exe\", \"beasvc.exe\", \"httpd.exe\") or\n    InitiatingProcessFileName startswith \"tomcat\"))\n    and FileName in~('cmd.exe', 'powershell.exe')\n| where ProcessCommandLine contains '%temp%'\n    or ProcessCommandLine has 'wget'\n    or ProcessCommandLine has 'whoami'\n    or ProcessCommandLine has 'certutil'\n    or ProcessCommandLine has 'systeminfo'\n    or ProcessCommandLine has 'ping'\n    or ProcessCommandLine has 'ipconfig'\n    or ProcessCommandLine has 'timeout'\n| summarize\n    take_any(FileName),\n    make_set(ProcessCommandLine, 100000),\n    take_any(InitiatingProcessFileName),\n    take_any(InitiatingProcessParentFileName)\n    by DeviceId, DeviceName\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Discovery",
          "Execution"
        ],
        "tags": [
          "Operation Soft Cell",
          "Webserver Process",
          "Discovery"
        ],
        "techniques": [
          "T1059",
          "T1082",
          "T1087",
          "T1574"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}