title: Webshell Detection With Command Line Keywords
description: Detects certain command line parameters often used during reconnaissance activity via web shells
author: Florian Roth
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        ParentImage:
          - '*\apache*'
          - '*\tomcat*'
          - '*\w3wp.exe'
          - '*\php-cgi.exe'
          - '*\nginx.exe'
          - '*\httpd.exe'
        CommandLine:
          - 'whoami'
          - 'net user'
          - 'ping -n'
          - 'systeminfo'
    condition: selection
fields:
    - CommandLine
    - ParentCommandLine
tags:
    - attack.privilege_escalation
    - attack.persistence
    - attack.t1100
falsepositives:
    - unknown
level: high