← Back to SOC feed Coverage →

detect-suspicious-commands-initiated-by-web-server-processes

kql MEDIUM Azure-Sentinel
DeviceProcessEvents
backdoorhuntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-09T23:00:01Z · Confidence: medium

Hunt Hypothesis

Web server processes executing suspicious commands may indicate an adversary leveraging compromised server infrastructure to exfiltrate data or establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration attempts originating from trusted web services.

KQL Query

// Suspicious commands launched by web server processes
DeviceProcessEvents 
| where Timestamp > ago(7d)
// Pivoting on parents or grand parents
and (((InitiatingProcessParentFileName in("w3wp.exe", "beasvc.exe",
"httpd.exe") or InitiatingProcessParentFileName startswith "tomcat")
or InitiatingProcessFileName in("w3wp.exe", "beasvc.exe", "httpd.exe") or
InitiatingProcessFileName startswith "tomcat"))
    and FileName in~('cmd.exe','powershell.exe')
| where ProcessCommandLine contains '%temp%'
    or ProcessCommandLine has 'wget'
    or ProcessCommandLine has 'whoami'
    or ProcessCommandLine has 'certutil'
    or ProcessCommandLine has 'systeminfo'
    or ProcessCommandLine has 'ping'
    or ProcessCommandLine has 'ipconfig'
    or ProcessCommandLine has 'timeout'
| summarize any(Timestamp), any(Timestamp), any(FileName),
makeset(ProcessCommandLine), any(InitiatingProcessFileName),
any(InitiatingProcessParentFileName) by DeviceId

Analytic Rule Definition

id: 7fdc5f4a-700d-4713-abfc-181f02968726
name: detect-suspicious-commands-initiated-by-web-server-processes
description: |
  This query was originally published in the threat analytics report, Operation Soft Cell.
  Operation Soft Cell is a series of campaigns targeting users' call logs at telecommunications providers throughout the world. These attacks date from as early as 2012.
  Operation Soft Cell operators sometimes use legitimate web server processes to launch commands, especially for network discovery and user/owner discovery. The following query detects activity of this kind.
  Reference - https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Execution
- Defense evasion
- Discovery
query: |
  // Suspicious commands launched by web server processes
  DeviceProcessEvents 
  | where Timestamp > ago(7d)
  // Pivoting on parents or grand parents
  and (((InitiatingProcessParentFileName in("w3wp.exe", "beasvc.exe",
  "httpd.exe") or InitiatingProcessParentFileName startswith "tomcat")
  or InitiatingProcessFileName in("w3wp.exe", "beasvc.exe", "httpd.exe") or
  InitiatingProcessFileName startswith "tomcat"))
      and FileName in~('cmd.exe','powershell.exe')
  | where ProcessCommandLine contains '%temp%'
      or ProcessCommandLine has 'wget'
      or ProcessCommandLine has 'whoami'
      or ProcessCommandLine has 'certutil'
      or ProcessCommandLine has 'systeminfo'
      or ProcessCommandLine has 'ping'
      or ProcessCommandLine has 'ipconfig'
      or ProcessCommandLine has 'timeout'
  | summarize any(Timestamp), any(Timestamp), any(FileName),
  makeset(ProcessCommandLine), any(InitiatingProcessFileName),
  any(InitiatingProcessParentFileName) by DeviceId

Required Data Sources

Sentinel TableNotes
DeviceProcessEventsEnsure this data connector is enabled

MITRE ATT&CK Context

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Discovery/detect-suspicious-commands-initiated-by-web-server-processes.yaml