You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: rules/linux/persistence_web_server_unusual_command_execution.toml
+3-6Lines changed: 3 additions & 6 deletions
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,7 @@
2
2
creation_date = "2025/12/02"
3
3
integration = ["endpoint"]
4
4
maturity = "production"
5
-
updated_date = "2025/12/08"
5
+
updated_date = "2025/12/11"
6
6
7
7
[rule]
8
8
author = ["Elastic"]
@@ -68,7 +68,7 @@ event.category:process and host.os.type:linux and event.type:start and event.act
68
68
"apache" or "nginx" or "apache2" or "httpd" or "lighttpd" or "caddy" or "mongrel_rails" or "haproxy" or
69
69
"gunicorn" or "uwsgi" or "openresty" or "cherokee" or "h2o" or "resin" or "puma" or "unicorn" or "traefik" or "uvicorn" or
70
70
"tornado" or "hypercorn" or "daphne" or "twistd" or "yaws" or "webfsd" or "httpd.worker" or "flask" or "rails" or "mongrel" or
71
-
php* or ruby* or perl* or python* or "node" or "java"
71
+
php-fpm* or "php-cgi" or "php-fcgi" or "php-cgi.cagefs" or "java" or "node"
72
72
) or
73
73
user.name:("apache" or "www-data" or "httpd" or "nginx" or "lighttpd" or "tomcat" or "tomcat8" or "tomcat9") or
74
74
user.id:("33" or "498" or "48" or "54321")
@@ -86,10 +86,7 @@ event.category:process and host.os.type:linux and event.type:start and event.act
86
86
process.command_line:* and process.name:(bash or dash or sh or tcsh or csh or zsh or ksh or fish) and process.args:"-c" and
87
87
not (
88
88
(process.parent.name:java and not process.parent.executable:/u0*/*) or
89
-
(process.parent.name:python* and process.parent.executable:(/bin/python* or /usr/bin/python* or /usr/local/bin/python* or /tmp/*python* or /opt/oracle.ahf/python/*)) or
90
-
(process.parent.name:ruby* and process.parent.executable:(/bin/ruby* or /usr/bin/ruby* or /usr/local/bin/ruby* or /tmp/*ruby* or /bin/ruby or /usr/bin/ruby or /usr/local/bin/ruby)) or
91
-
(process.parent.name:perl* and process.parent.executable:(/bin/perl* or /usr/bin/perl* or /usr/local/bin/perl* or /tmp/*perl* or /bin/perl or /usr/bin/perl or /usr/local/bin/perl)) or
92
-
(process.parent.name:php* and process.parent.executable:(/bin/php* or /usr/bin/php* or /usr/local/bin/php* or /tmp/*php* or /bin/php or /usr/bin/php or /usr/local/bin/php)) or
89
+
(process.parent.name:php* and process.parent.executable:(/bin/php or /usr/bin/php or /usr/local/bin/php or /tmp/*php or /bin/php or /usr/bin/php or /usr/local/bin/php)) or
93
90
(process.parent.name:node and process.parent.executable:(/home/*/.vscode-server/* or /users/*/.vscode-server/* or /bin/node or /usr/bin/node or /usr/local/bin/node or /opt/plesk/node/*/bin/node)) or
94
91
process.working_directory:(/u0*/*/sysman/emd or /u0*/app/oracle/product/*/dbhome_* or /u0*/app/oracle/product/*/db_* or /var/www/*edoc*) or
0 commit comments