[Rule Tuning] Unusual Web Server Command Execution (#5450)

Aegrah · tradebot-elastic · commit 9633b7c8f7af · 2025-12-12T12:03:30.000Z
* [Rule Tuning] Unusual Web Server Command Execution * ++ (cherry picked from commit d16ee30)
diff --git a/rules/linux/persistence_web_server_unusual_command_execution.toml b/rules/linux/persistence_web_server_unusual_command_execution.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/12/02"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/12/08"
+updated_date = "2025/12/11"
 
 [rule]
 author = ["Elastic"]
@@ -68,7 +68,7 @@ event.category:process and host.os.type:linux and event.type:start and event.act
     "apache" or "nginx" or "apache2" or "httpd" or "lighttpd" or "caddy" or "mongrel_rails" or "haproxy" or
     "gunicorn" or "uwsgi" or "openresty" or "cherokee" or "h2o" or "resin" or "puma" or "unicorn" or "traefik" or "uvicorn" or
     "tornado" or "hypercorn" or "daphne" or "twistd" or "yaws" or "webfsd" or "httpd.worker" or "flask" or "rails" or "mongrel" or
-    php* or ruby* or perl* or python* or "node" or "java"
+    php-fpm* or "php-cgi" or "php-fcgi" or "php-cgi.cagefs" or "java" or "node"
   ) or
   user.name:("apache" or "www-data" or "httpd" or "nginx" or "lighttpd" or "tomcat" or "tomcat8" or "tomcat9") or
   user.id:("33" or "498" or "48" or "54321")
@@ -86,14 +86,11 @@ event.category:process and host.os.type:linux and event.type:start and event.act
 process.command_line:* and process.name:(bash or dash or sh or tcsh or csh or zsh or ksh or fish) and process.args:"-c" and
 not (
   (process.parent.name:java and not process.parent.executable:/u0*/*) or
-  (process.parent.name:python* and process.parent.executable:(/bin/python* or /usr/bin/python* or /usr/local/bin/python* or /tmp/*python* or /opt/oracle.ahf/python/*)) or
-  (process.parent.name:ruby* and process.parent.executable:(/bin/ruby* or /usr/bin/ruby* or /usr/local/bin/ruby* or /tmp/*ruby* or /bin/ruby or /usr/bin/ruby or /usr/local/bin/ruby)) or
-  (process.parent.name:perl* and process.parent.executable:(/bin/perl* or /usr/bin/perl* or /usr/local/bin/perl* or /tmp/*perl* or /bin/perl or /usr/bin/perl or /usr/local/bin/perl)) or
-  (process.parent.name:php* and process.parent.executable:(/bin/php* or /usr/bin/php* or /usr/local/bin/php* or /tmp/*php* or /bin/php or /usr/bin/php or /usr/local/bin/php)) or
   (process.parent.name:node and process.parent.executable:(/home/*/.vscode-server/* or /users/*/.vscode-server/* or /bin/node or /usr/bin/node or /usr/local/bin/node or /opt/plesk/node/*/bin/node)) or
   process.working_directory:(/u0*/*/sysman/emd or /u0*/app/oracle/product/*/dbhome_* or /u0*/app/oracle/product/*/db_* or /var/www/*edoc*) or
   process.parent.executable:/tmp/* or
-  process.args:/usr/local/bin/wkhtmltopdf*
+  process.args:/usr/local/bin/wkhtmltopdf* or
+  process.parent.name:php
 )
 '''
 
