SigmaHQ/rules/windows/sysmon/sysmon_webshell_detection.yml

33 lines
768 B
YAML
Raw Normal View History

title: Webshell Detection With Command Line Keywords
2018-07-16 21:13:24 +00:00
description: Detects certain command line parameters often used during reconnaissance activity via web shells
author: Florian Roth
logsource:
product: windows
service: sysmon
2017-02-10 18:17:02 +00:00
detection:
selection:
EventID: 1
ParentImage:
- '*\apache*'
- '*\tomcat*'
- '*\w3wp.exe'
- '*\php-cgi.exe'
- '*\nginx.exe'
- '*\httpd.exe'
CommandLine:
- 'whoami'
- 'net user'
- 'ping -n'
- 'systeminfo'
2017-02-10 18:17:02 +00:00
condition: selection
2017-09-12 21:54:04 +00:00
fields:
- CommandLine
- ParentCommandLine
2018-08-07 06:49:05 +00:00
tags:
- attack.privilege_escalation
- attack.persistence
- attack.t1100
2017-02-10 18:17:02 +00:00
falsepositives:
- unknown
2017-02-16 17:02:26 +00:00
level: high