SigmaHQ/rules/windows/process_creation/win_webshell_detection.yml

title: Webshell Detection With Command Line Keywords
id: bed2a484-9348-4143-8a8a-b801c979301c
description: Detects certain command line parameters often used during reconnaissance activity via web shells
author: Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community
references:
    - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
    - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
date: 2017/01/01
modified: 2021/03/02
tags:
    - attack.persistence
    - attack.t1505.003
    - attack.t1018
    - attack.t1033
    - attack.t1087
    - attack.privilege_escalation       # an old one
    - attack.t1100      # an old one
logsource:
    category: process_creation
    product: windows
detection:
    parent_is_web_server_process:
        - ParentImage|endswith:
            - '\w3wp.exe'
            - '\php-cgi.exe'
            - '\nginx.exe'
            - '\httpd.exe'
        - ParentImage|contains:
            - '\apache'
            - '\tomcat'
    net_utility:
        Image|endswith:
            - '\net.exe'
            - '\net1.exe'
        CommandLine|contains:
            - ' user '
            - ' use '
            - ' group '
    ping_utility:
        Image|endswith: '\ping.exe'
        CommandLine|contains: ' -n '
    change_dir:
        CommandLine|contains:
            - '&cd&echo'  # china chopper web shell
            - 'cd /d '  # https://www.computerhope.com/cdhlp.htm
    wmic_utility:
        Image|endswith: '\wmic.exe'
        CommandLine|contains: ' /node:' 
    misc_discovery_binaries:
        Image|endswith:
            - '\whoami.exe'
            - '\systeminfo.exe'
            - '\quser.exe'
            - '\ipconfig.exe' 
            - '\pathping.exe' 
            - '\tracert.exe' 
            - '\netstat.exe' 
            - '\schtasks.exe' 
            - '\vssadmin.exe' 
            - '\wevtutil.exe' 
            - '\tasklist.exe' 
    misc_discovery_commands:
        CommandLine|contains:
            - ' Test-NetConnection '
            - 'dir \'  # remote dir: dir \<redacted IP #3>\C$:\windows\temp\*.exe
    condition: parent_is_web_server_process and (net_utility or ping_utility or change_dir or wmic_utility or misc_discovery_binaries or misc_discovery_commands)
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - unknown
level: high
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`title: Webshell Detection With Command Line Keywords`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: bed2a484-9348-4143-8a8a-b801c979301c`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`description: Detects certain command line parameters often used during reconnaissance activity via web shells`
Merge branch 'oscd' B B B B A 2021-03-02 19:48:55 +00:00			`author: Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community`
Added missed changes in win_net_ntlm_downgrade and merged duplicate rules 2021-03-02 20:34:34 +00:00			`references:`
rule: webshell detection improved 2019-10-26 07:14:48 +00:00			`- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html`
Add xHunt Campaign: BumbleBee Webshell add commands and TTP from https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/ 2021-01-11 18:44:07 +00:00			`- https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/`
rule: webshell detection improved 2019-10-26 07:14:48 +00:00			`date: 2017/01/01`
Merge branch 'oscd' B B B B A 2021-03-02 19:48:55 +00:00			`modified: 2021/03/02`
rule: webshell detection improved 2019-10-26 07:14:48 +00:00			`tags:`
			`- attack.persistence`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1505.003`
Add xHunt Campaign: BumbleBee Webshell add commands and TTP from https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/ 2021-01-11 18:44:07 +00:00			`- attack.t1018`
Update win_webshell_detection.yml 2021-01-11 20:08:20 +00:00			`- attack.t1033`
Add xHunt Campaign: BumbleBee Webshell add commands and TTP from https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/ 2021-01-11 18:44:07 +00:00			`- attack.t1087`
att&ck tags review: windows/process_creation part 9 2020-08-29 16:22:09 +00:00			`- attack.privilege_escalation # an old one`
			`- attack.t1100 # an old one`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`logsource:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`detection:`
Merge branch 'oscd' B B B B A 2021-03-02 19:48:55 +00:00			`parent_is_web_server_process:`
Update win_webshell_detection.yml 2020-11-28 16:35:50 +00:00			`- ParentImage\|endswith:`
Update win_webshell_detection.yml 2020-10-15 22:58:37 +00:00			`- '\w3wp.exe'`
			`- '\php-cgi.exe'`
			`- '\nginx.exe'`
			`- '\httpd.exe'`
Update win_webshell_detection.yml 2020-11-28 16:35:50 +00:00			`- ParentImage\|contains:`
			`- '\apache'`
			`- '\tomcat'`
Merge branch 'oscd' B B B B A 2021-03-02 19:48:55 +00:00			`net_utility:`
Update win_webshell_detection.yml 2020-11-28 17:25:09 +00:00			`Image\|endswith:`
			`- '\net.exe'`
Merge branch 'oscd' B B B B A 2021-03-02 19:48:55 +00:00			`- '\net1.exe'`
			`CommandLine\|contains:`
			`- ' user '`
			`- ' use '`
			`- ' group '`
			`ping_utility:`
Update win_webshell_detection.yml 2020-11-28 17:25:09 +00:00			`Image\|endswith: '\ping.exe'`
Merge branch 'oscd' B B B B A 2021-03-02 19:48:55 +00:00			`CommandLine\|contains: ' -n '`
			`change_dir:`
			`CommandLine\|contains:`
			`- '&cd&echo' # china chopper web shell`
			`- 'cd /d ' # https://www.computerhope.com/cdhlp.htm`
			`wmic_utility:`
			`Image\|endswith: '\wmic.exe'`
			`CommandLine\|contains: ' /node:'`
			`misc_discovery_binaries:`
			`Image\|endswith:`
			`- '\whoami.exe'`
			`- '\systeminfo.exe'`
			`- '\quser.exe'`
			`- '\ipconfig.exe'`
			`- '\pathping.exe'`
			`- '\tracert.exe'`
			`- '\netstat.exe'`
			`- '\schtasks.exe'`
			`- '\vssadmin.exe'`
			`- '\wevtutil.exe'`
			`- '\tasklist.exe'`
			`misc_discovery_commands:`
			`CommandLine\|contains:`
			`- ' Test-NetConnection '`
			`- 'dir \' # remote dir: dir \<redacted IP #3>\C$:\windows\temp\*.exe`
			`condition: parent_is_web_server_process and (net_utility or ping_utility or change_dir or wmic_utility or misc_discovery_binaries or misc_discovery_commands)`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`fields:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- CommandLine`
			`- ParentCommandLine`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`falsepositives:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- unknown`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`level: high`