title: Webshell Remote Command Execution
id: c0d3734d-330f-4a03-aae2-65dacc6a8222
status: experimental
description: Detects possible command execution by web application/web shell
author: Ilyas Ochkov, Beyu Denis, oscd.community
date: 2019/10/12
modified: 2021/11/11
references:
    - personal experience
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'SYSCALL'
        syscall: 'execve'
        key: 'detect_execve_www'
    condition: selection
falsepositives:
    - Admin activity
    - Crazy web applications
level: critical
tags:
    - attack.persistence
    - attack.t1505.003