Web server CGO executed an uncommon process

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-06-24

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules
Detector Tags	Webshell Analytics
ATT&CK Tactic	Initial Access (TA0001) Persistence (TA0003)
ATT&CK Technique	External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
Severity	Informational

Description

An uncommon process was executed by a web server CGO, which might indicate a Webshell activity or a web server exploit.

Attacker's Goals

Gaining the ability to execute commands on the host, as well as persistence.

Investigative actions

Investigate the web server access logs for suspicious behavior.
Check if the executed process is malicious or executes a suspicious action.

Variations

Web server CGO executed a LOLBIN process with direct IP in the command line

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

High

Description

A LOLBIN process with a direct IP in the command line was executed by a web server CGO, which might indicate a Webshell activity or a web server exploit.

Attacker's Goals

Gaining the ability to execute commands on the host, as well as persistence.

Investigative actions

Investigate the web server access logs for suspicious behavior.
Check if the executed process is malicious or executes a suspicious action.