Analytics Alerts
Browse the Cortex analytics alert reference.
7 alerts match the current filters. technique: T1505 ✕
Show ATT&CK heatmapAn executable was written and executed by a web server Low
Web server process had written an executable file that was executed shortly after.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Server Software Component: Web Shell (T1505.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Webshell AnalyticsAttacker's goals: Gaining the ability to execute commands on the host, as well as persistence.Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the dropped file contains malicious content.Executable or Script file written by a web server process Low 3 variations
An uncommon executable or script file was created, written, or renamed by a web server process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Webshell AnalyticsAttacker's goals: Gain the ability to execute commands on the host and establish persistence.Investigative actions: Review web server access logs for suspicious requests or uploads. Inspect the dropped file to determine whether it contains malicious content.Variations
A driver was written by a web server process
Low overridden
An uncommon driver file was created, written, or renamed by a web server process. overridden
Executable or Script file written by a web server process in an internet facing server
Low overridden
An uncommon executable or script file was created, written, or renamed by a web server process. overridden
Executable or Script file written by a web server process with connections from various sources and high web traffic
Low overridden
An uncommon executable or script file was created, written, or renamed by a web server process. overridden
Possible webshell file written by a web server process Low 3 variations
An uncommon file with a web file extension was created, written or renamed by a web server process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Webshell AnalyticsAttacker's goals: Gaining the ability to execute commands on the host, as well as persistence.Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the dropped file contains malicious content.Variations
Possible webshell file written by a node web server process
Informational overridden
An uncommon file with a web file extension was created, written or renamed by a web server process. overridden
Possible webshell file written by a web server process in an internet facing server
Low overridden
An uncommon file with a web file extension was created, written or renamed by a web server process. overridden
Possible webshell file written by a web server process with connections from various sources and high web traffic
Low overridden
An uncommon file with a web file extension was created, written or renamed by a web server process. overridden
Suspicious HTTP parameters detected Medium
The endpoint received suspicious HTTP parameters via an HTTP request, which may indicate attempts to exploit server components or web shell activity.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentDetector tags: Webshell AnalyticsAttacker's goals: Attackers may exploit server components or misconfigurations to access arbitrary sensitive files on the web server.Investigative actions: Inspect the legitimacy of the URI path and the parameters values sent to the server. Ensure that the rare URI is not a legitimate result of routine development actions on the web server.Uncommon jsp file write by a Java process Medium
An uncommon jsp file was written by a Java process.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Server Software Component: Web Shell (T1505.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Persistence on the host.Investigative actions: Check if the file was added during regular java process actions. Check if the jsp file contains malicious content.Web server CGO executed a process following a potential Webshell dropped Informational
A process was executed by a web server CGO following a potential drop of a webshell file.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 4 Hours
- Deduplication:
- 1 Day
ATT&CK tactics: Persistence (TA0003)ATT&CK techniques: Server Software Component: Web Shell (T1505.003)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Webshell AnalyticsAttacker's goals: Gaining the ability to execute commands on the host, as well as persistence.Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the dropped file contains malicious content.Web server CGO executed an uncommon process Informational 1 variation
An uncommon process was executed by a web server CGO, which might indicate a Webshell activity or a web server exploit.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Initial Access (TA0001) Persistence (TA0003)ATT&CK techniques: External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)Required data: XDR AgentDetector tags: Webshell AnalyticsAttacker's goals: Gaining the ability to execute commands on the host, as well as persistence.Investigative actions: Investigate the web server access logs for suspicious behavior. Check if the executed process is malicious or executes a suspicious action.Variations
Web server CGO executed a LOLBIN process with direct IP in the command line
High overridden
A LOLBIN process with a direct IP in the command line was executed by a web server CGO, which might indicate a Webshell activity or a web server exploit. overridden