-
Notifications
You must be signed in to change notification settings - Fork 512
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[New Rule] Simple HTTP Web Server Creation #4308
base: main
Are you sure you want to change the base?
Conversation
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
query = ''' | ||
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( | ||
(process.name regex~ """php?[0-9]?\.?[0-9]{0,2}""" and process.args == "-S") or | ||
(process.name like "python*" and process.args in ("--cgi", "CGIHTTPServer")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thoughts on adding http.server
(known as SimpleHTTPServer) as well? --> python -m http.server
. You can setup CGI with the --cgi
argument as well and bind to a specific port or listen on any address. I'd be interested in alerts where 0.0.0.0
is the specified address as it is a "accept any" on cloud instances.
Another option would be Flask setup via inline code execution as shown below. I thing from command line args you could check for import flask and app.run
and flag it as you will always need to import and initialize call app.run
.
python3 -c "from flask import Flask; app = Flask(__name__); @app.route('/') def hello(): return 'Hello, World!'; app.run(host='0.0.0.0', port=8000)"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The python web server spawn is already in
(process.name like "python*" and process.args in ("http.server", "SimpleHTTPServer")) or |
I did not add flask in there because it requires an additional module, which attackers would prefer not to install. And I think starting flask applications will be very noisy. I can check telemetry though!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added some thoughts on additional logic, but LTGM.
Summary
This rule detects the creation of a simple HTTP web server using PHP or Python built-in modules. Adversaries may create simple HTTP web servers to establish persistence on a compromised system by uploading a reverse or command shell payload to the server web root, allowing them to regain remote access to the system if lost.
##Telemetry
0 hits in telemetry last 90d, only TPs in testing stack: