Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An uncommon executable or script file was created, written or renamed by a web server process.
Attacker's Goals
Gaining the ability to execute commands on the host, as well as persistence.
Investigative actions
- Investigate the web server access logs for suspicious behavior.
- Check if the dropped file contains malicious content.
Variations
The driver file written by web server processExecutable or Script file written by web server process in an internet facing server
Executable or Script file written by web server process with connections from various sources and high web traffic