A webserver executing suspicious applications via scripting languages may indicate initial compromise or lateral movement by an adversary. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control activities or unauthorized process execution.
KQL Query
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ('w3wp.exe', 'httpd.exe') // 'sqlservr.exe')
| where FileName in~ ('cmd.exe', 'powershell.exe', 'cscript.exe', 'wscript.exe', 'net.exe', 'net1.exe', 'ping.exe', 'whoami.exe')
| summarize instances = count() by ProcessCommandLine, FolderPath, DeviceName, DeviceId
| order by instances asc
id: 1a9dfc1d-6dd2-42e5-81ef-fb90f3d96239
name: Webserver Executing Suspicious Applications
description: |
This query looks for common webserver process names and identifies any processes launched using a scripting language (cmd, powershell, wscript, cscript), common initial profiling commands (net \ net1 \ whoami \ ping \ ipconfig),or admin commands (sc). Note that seeing thisactivity doesn't immediately mean you have a breach, though you might consider reviewing and honing the where clause to fit your specific web applications.
Those who don't mind false positives should consider also adding database process names to this list as well (i.e. sqlservr.exe) to identify potential abuse of xp_cmdshell.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
query: |
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ('w3wp.exe', 'httpd.exe') // 'sqlservr.exe')
| where FileName in~ ('cmd.exe', 'powershell.exe', 'cscript.exe', 'wscript.exe', 'net.exe', 'net1.exe', 'ping.exe', 'whoami.exe')
| summarize instances = count() by ProcessCommandLine, FolderPath, DeviceName, DeviceId
| order by instances asc
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job Running PowerShell Script for System Maintenance
Description: A legitimate scheduled task runs a PowerShell script to perform system updates or log cleanup.
Filter/Exclusion: Exclude processes initiated by scheduled tasks using the Task Scheduler service or check for known maintenance scripts in a trusted directory (e.g., C:\Windows\System32\).
Scenario: Web Server Using PowerShell for Log Rotation
Description: The web server uses PowerShell to rotate and archive log files as part of routine operations.
Filter/Exclusion: Exclude processes that execute scripts in a known log management directory (e.g., C:\inetpub\logs\LogFiles\) or filter by the logrotate or logrotate.exe process name.
Scenario: Admin Performing Remote PowerShell Cmdlets for Configuration
Description: An administrator uses PowerShell remoting to configure the web server, such as updating IIS settings or applying security patches.
Filter/Exclusion: Exclude processes initiated from a known admin workstation or filter by the PSRemoting or WinRM service.
Scenario: Web Server Using WScript to Run a Legacy Batch Script
Description: The web server uses WScript to run a legacy batch script for compatibility with older applications or services.
Filter/Exclusion: Exclude processes that execute scripts in a known legacy directory (e.g., C:\LegacyApps\) or filter by the wscript.exe process name with a known script path.
Scenario: Web Server Using CMD for Administrative Tasks (e.g., net use, net share)
Description: The web server uses CMD to perform administrative tasks such as mapping network drives or sharing folders for internal use.
Filter/Exclusion: Exclude processes that execute net commands from a known internal network or filter by the cmd.exe