add rule sysmon_webshell_creation_detect.yml

2024-11-08 02:08:54 +00:00 · 2019-10-22 05:56:37 +02:00 · 2019-10-22 05:56:37 +02:00 · 2bd9d8a9d8
commit 2bd9d8a9d8
parent fb53855ae5
1 changed files with 13 additions and 12 deletions
--- a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml
+++ b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml
@ -17,18 +17,19 @@ detection:
        # Sysmon: File Creation (ID 11)
        EventID: 11
        #.NET webshells
-        TargetFilename: '*\inetpub\wwwroot\*.asp'
-        TargetFilename: '*\inetpub\wwwroot\*.aspx'
-        TargetFilename: '*\inetpub\wwwroot\*.ashx'
-        #php webshells
-        TargetFilename: '*\inetpub\wwwroot\*.ph*'
-        TargetFilename: '*\www\*.ph*'
-        TargetFilename: '*\htdocs\*.ph*'
-        TargetFilename: '*\html\*.ph*'
-        #apache tomcap webshell
-        TargetFilename: '*\*.jsp*'
-        #cgi-bin perl webshell
-        TargetFilename: '*\cgi-bin\*.pl'
+        TargetFilename: 
+            - '*\inetpub\wwwroot\*.asp'
+            - '*\inetpub\wwwroot\*.aspx'
+            - '*\inetpub\wwwroot\*.ashx'
+            #php webshells
+            - '*\inetpub\wwwroot\*.ph*'
+            - '*\www\*.ph*'
+            - '*\htdocs\*.ph*'
+            - '*\html\*.ph*'
+            #apache tomcap webshell
+            - '*\*.jsp*'
+            #cgi-bin perl webshell
+            - '*\cgi-bin\*.pl'
    condition: selection
 falsepositives:
    - Unknown