Skip to content

Hide Navigation Hide TOC

Webshell Tool Reconnaissance Activity (f64e5c19-879c-4bae-b471-6d84c8339677)

Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands

Cluster A Galaxy A Cluster B Galaxy B Level
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Webshell Tool Reconnaissance Activity (f64e5c19-879c-4bae-b471-6d84c8339677) Sigma-Rules 1
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2