++

Author: Aegrah

rules/linux/persistence_web_server_unusual_command_execution.toml

@@ -86,11 +86,11 @@ event.category:process and host.os.type:linux and event.type:start and event.act
 process.command_line:* and process.name:(bash or dash or sh or tcsh or csh or zsh or ksh or fish) and process.args:"-c" and
 not (
   (process.parent.name:java and not process.parent.executable:/u0*/*) or
-  (process.parent.name:php* and process.parent.executable:(/bin/php or /usr/bin/php or /usr/local/bin/php or /tmp/*php or /bin/php or /usr/bin/php or /usr/local/bin/php)) or
   (process.parent.name:node and process.parent.executable:(/home/*/.vscode-server/* or /users/*/.vscode-server/* or /bin/node or /usr/bin/node or /usr/local/bin/node or /opt/plesk/node/*/bin/node)) or
   process.working_directory:(/u0*/*/sysman/emd or /u0*/app/oracle/product/*/dbhome_* or /u0*/app/oracle/product/*/db_* or /var/www/*edoc*) or
   process.parent.executable:/tmp/* or
-  process.args:/usr/local/bin/wkhtmltopdf*
+  process.args:/usr/local/bin/wkhtmltopdf* or
+  process.parent.name:php
 )
 '''