From 9f8ef95571309a15907697595598dce710ecf1ba Mon Sep 17 00:00:00 2001
From: yugoslavskiy <daniil@yugoslavskiy.com>
Date: Sat, 28 Nov 2020 18:25:09 +0100
Subject: [PATCH] Update win_webshell_detection.yml

---
 .../win_webshell_detection.yml                | 27 ++++++++++---------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml
index 9f6d8db7..f9ba29bd 100644
--- a/rules/windows/process_creation/win_webshell_detection.yml
+++ b/rules/windows/process_creation/win_webshell_detection.yml
@@ -5,7 +5,7 @@ author: Florian Roth, Jonhnathan Ribeiro, oscd.community
 reference:
     - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
 date: 2017/01/01
-modified: 2019/10/26
+modified: 2019/11/28
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -25,20 +25,23 @@ detection:
             - '\apache'
             - '\tomcat'
     selection2:
-        - CommandLine|contains:
-            - 'whoami'
-            - 'systeminfo'
-            - '&cd&echo'
-        - CommandLine|contains|all:
-            - 'net'
-            - 'user'
+        Image|endswith:
+            - '\whoami.exe'
+            - '\systeminfo.exe'
+    selection3:
+        Image|endswith:
+            - '\net1.exe'
+            - '\net.exe'
+        CommandLine|contains: 'user'
+    selection4:
         - CommandLine|contains|all:
             - 'cd' # https://www.computerhope.com/cdhlp.htm
             - '/d'
-        - CommandLine|contains|all:
-            - 'ping'
-            - '-n'
-    condition: selection and selection2
+        - CommandLine|contains: '&cd&echo'
+    selection5:
+        Image|endswith: '\ping.exe'
+        CommandLine|contains: '-n'
+    condition: selection and ( selection2 or selection3 or selection4 or selection5 )
 fields:
     - CommandLine
     - ParentCommandLine