Detecting web shells via process hierarchy tracing

Web shells remain one of the most common backdoors deployed after a web application vulnerability is exploited. They allow attackers to run arbitrary system shell commands via HTTP requests. Standard signature scanners fail when attackers obfuscate their payloads.

When a PHP, Node.js, or Java application is compromised, the exploit code typically runs within the context of the web server process. Once the attacker attempts to explore the server filesystem, they must invoke shell binaries like `/bin/bash` or `/bin/sh` to carry out instructions.

Process Lineage Tracking

Instead of inspecting application source code, AncileBase monitors the process execution lineage. In a standard setup, a web server process (like nginx or Apache) should never spawn a shell command interpreter (such as /bin/sh or /bin/bash).

We trace parent-child process relationships recursively. When a binary execution is detected, the agent checks the ancestry. If the command originates from a parent associated with a web service daemon, the event represents abnormal web shell activity.

Immediate Web Shell Flagging

If a shell interpreter process is spawned where the parent process is a web server or worker daemon, AncileBase immediately flags it as a Web Shell Spawn alert. This behavioral signature is completely independent of the payload, rendering code obfuscation techniques obsolete.

It doesn't matter if the web shell payload was encrypted, stored in memory, or obfuscated through complex syntax. The moment the operating system syscall is invoked to spawn a shell binary, our eBPF monitor flags the hierarchy, catching the threat instantly.

Operational Containment Options

Once flagged, AncileBase can be configured to block the execution path automatically. By sending a sigkill signal to the spawned shell process, we stop command execution before the attacker can download secondary payloads or execute filesystem manipulation commands.