Update win_webshell_detection.yml

2024-11-07 17:58:52 +00:00 · 2020-11-28 18:25:09 +01:00 · 2020-11-28 18:25:09 +01:00 · 9f8ef95571
commit 9f8ef95571
parent c761d05a17
1 changed files with 15 additions and 12 deletions
--- a/rules/windows/process_creation/win_webshell_detection.yml
+++ b/rules/windows/process_creation/win_webshell_detection.yml
@ -5,7 +5,7 @@ author: Florian Roth, Jonhnathan Ribeiro, oscd.community
 reference:
    - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
 date: 2017/01/01
-modified: 2019/10/26
+modified: 2019/11/28
 tags:
    - attack.persistence
    - attack.t1505.003
@ -25,20 +25,23 @@ detection:
            - '\apache'
            - '\tomcat'
    selection2:
-        - CommandLine|contains:
-            - 'whoami'
-            - 'systeminfo'
-            - '&cd&echo'
-        - CommandLine|contains|all:
-            - 'net'
-            - 'user'
+        Image|endswith:
+            - '\whoami.exe'
+            - '\systeminfo.exe'
+    selection3:
+        Image|endswith:
+            - '\net1.exe'
+            - '\net.exe'
+        CommandLine|contains: 'user'
+    selection4:
        - CommandLine|contains|all:
            - 'cd' # https://www.computerhope.com/cdhlp.htm
            - '/d'
-        - CommandLine|contains|all:
-            - 'ping'
-            - '-n'
-    condition: selection and selection2
+        - CommandLine|contains: '&cd&echo'
+    selection5:
+        Image|endswith: '\ping.exe'
+        CommandLine|contains: '-n'
+    condition: selection and ( selection2 or selection3 or selection4 or selection5 )
 fields:
    - CommandLine
    - ParentCommandLine