Skip to content

Hide Navigation Hide TOC

Webshell Tool Reconnaissance Activity (f64e5c19-879c-4bae-b471-6d84c8339677)

Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands

Cluster A Galaxy A Cluster B Galaxy B Level
Webshell Tool Reconnaissance Activity (f64e5c19-879c-4bae-b471-6d84c8339677) Sigma-Rules Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern 1
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2