Skip to content

Hide Navigation Hide TOC

Webshell Tool Reconnaissance Activity (f64e5c19-879c-4bae-b471-6d84c8339677)

Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands

Cluster A Galaxy A Cluster B Galaxy B Level
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Webshell Tool Reconnaissance Activity (f64e5c19-879c-4bae-b471-6d84c8339677) Sigma-Rules 1
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern 2