mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
38 lines
1.1 KiB
YAML
38 lines
1.1 KiB
YAML
title: Webshell ReGeorg Detection Via Web Logs
|
|
id: 2ea44a60-cfda-11ea-87d0-0242ac130003
|
|
status: experimental
|
|
description: Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.
|
|
author: Cian Heasley
|
|
reference:
|
|
- https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3
|
|
- https://github.com/sensepost/reGeorg
|
|
date: 2020/08/04
|
|
tags:
|
|
- attack.privilege_escalation
|
|
- attack.persistence
|
|
- attack.t1100
|
|
- attack.t1505.003
|
|
logsource:
|
|
category: webserver
|
|
detection:
|
|
selection:
|
|
uri_query|contains:
|
|
- '*cmd=read*'
|
|
- '*connect&target*'
|
|
- '*cmd=connect*'
|
|
- '*cmd=disconnect*'
|
|
- '*cmd=forward*'
|
|
filter:
|
|
referer: null
|
|
useragent: null
|
|
method: POST
|
|
condition: selection and filter
|
|
fields:
|
|
- uri_query
|
|
- referer
|
|
- method
|
|
- useragent
|
|
falsepositives:
|
|
- web applications that use the same URL parameters as ReGeorg
|
|
level: high
|