Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0220: Analytic 0220

Adversary exploits Apache/Nginx/app servers. Chain: (1) suspicious requests in access logs → (2) spike of 5xx or WAF blocks → (3) web server or interpreter (apache2/nginx/php-fpm/node/python) spawns /bin/sh, curl, wget, socat, or writes webshell → (4) outbound callback.

EnterpriseAN0220AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN0220 is a Linux-focused detection analytic for suspected exploitation of Apache, Nginx, or application servers. Its business value is that it connects early web-facing warning signs—suspicious access-log requests, 5xx errors or WAF blocks, unexpected child processes, webshell writes, and outbound callbacks—into one incident decision path. For leaders, this matters because internet-facing web infrastructure often sits on critical customer, employee, or partner workflows, and missed exploitation can quickly become a continuity, data exposure, or incident-response problem.

Executive priority

Prioritize this as a validation item for organizations running Linux web servers or application stacks. Executives should ask whether teams can correlate web access logs, WAF signals, Linux process activity, file-write events, and outbound network connections quickly enough to confirm or rule out compromise. The control decision is less about one signature and more about whether SOC and IR teams have joined-up evidence across web, endpoint, and network layers for public-facing services.

Technical view

The supplied ATT&CK analytic describes a chain: suspicious web requests, followed by increased 5xx responses or WAF blocks, followed by apache2/nginx/php-fpm/node/python spawning shells or tools such as curl, wget, or socat, or writing a webshell, followed by outbound callback behavior. SOC teams should validate correlation across these stages on Linux servers. Detection engineering should focus on abnormal parent-child process relationships from web server or interpreter processes, suspicious file writes in web-accessible paths, web error and WAF bursts, and outbound connections temporally linked to suspicious requests.

Likely telemetry

  • Linux process creation telemetry with parent-child process details
  • Apache, Nginx, and application server access logs
  • HTTP status-code trends, especially 5xx spikes
  • WAF alert and block logs
  • File creation or modification telemetry for web directories and application paths

Detection direction

  • Validate that web, endpoint, and network telemetry can be correlated by host and time window; the analytic depends on chaining weak signals rather than one standalone event.
  • Tune for web server or interpreter processes spawning /bin/sh or network utilities, while accounting for legitimate administrative scripts and deployment automation.
  • Review 5xx and WAF-block spikes in context; high error volume alone can be noisy without process, file-write, or outbound-callback evidence.
  • Confirm visibility into file writes in web-accessible directories, since webshell placement may be missed if only access logs are collected.
  • Use outbound connections from web servers as a triage pivot, especially when they occur shortly after suspicious requests or unexpected process creation.

Mitigation priorities

  • Inventory Linux Apache, Nginx, and application servers that are internet-facing or business-critical.
  • Ensure centralized collection of web access logs, WAF events, Linux process telemetry, file-write telemetry, and outbound network logs for those systems.
  • Harden web and application server execution paths so service accounts have only required permissions and limited ability to write executable content.
  • Restrict and monitor outbound network access from web servers to reduce callback opportunities and improve investigation fidelity.
  • Prepare IR runbooks for suspected web server exploitation, including evidence preservation for logs, process history, modified files, and outbound connections.
Analyst notes and limits

This object is a detection analytic, not a technique or group profile. No tactics or relationships were supplied, so the take is framed around the official analytic chain and the Linux platform only. The strongest operational use is as a coverage test for public-facing web server monitoring and incident triage workflows.

Official detection text and relationship context were not provided. The analytic does not identify specific vulnerabilities, products beyond Apache/Nginx/app servers, adversary groups, or active exploitation. Local baselining is required to distinguish malicious behavior from legitimate administration, deployment tooling, health checks, and application errors.

Official MITRE ATT&CK definition

Analytic 0220

Adversary exploits Apache/Nginx/app servers. Chain: (1) suspicious requests in access logs → (2) spike of 5xx or WAF blocks → (3) web server or interpreter (apache2/nginx/php-fpm/node/python) spawns /bin/sh, curl, wget, socat, or writes webshell → (4) outbound callback.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f7db35d797ce1a3b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f7db35d797ce…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0220
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use