mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 17:58:52 +00:00
47 lines
1.6 KiB
YAML
Executable File
47 lines
1.6 KiB
YAML
Executable File
title: Windows Webshell Creation
|
|
id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
|
|
status: experimental
|
|
description: Possible webshell file creation on a static web site
|
|
references:
|
|
- PT ESC rule and personal experience
|
|
author: Beyu Denis, oscd.community
|
|
date: 2019/10/22
|
|
modified: 2020/08/23
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1100 # an old one
|
|
- attack.t1505.003
|
|
level: critical
|
|
logsource:
|
|
product: windows
|
|
category: file_event
|
|
detection:
|
|
selection_2:
|
|
TargetFilename|contains: '\inetpub\wwwroot\'
|
|
selection_3:
|
|
TargetFilename|contains:
|
|
- '.asp'
|
|
- '.ashx'
|
|
- '.ph'
|
|
selection_4:
|
|
TargetFilename|contains:
|
|
- '\www\'
|
|
- '\htdocs\'
|
|
- '\html\'
|
|
selection_5:
|
|
TargetFilename|contains: '.ph'
|
|
selection_6:
|
|
- TargetFilename|endswith: '.jsp'
|
|
- TargetFilename|contains|all:
|
|
- '\cgi-bin\'
|
|
- '.pl'
|
|
false_positives: # false positives when unpacking some executables in $TEMP
|
|
TargetFilename|contains:
|
|
- '\AppData\Local\Temp\'
|
|
- '\Windows\Temp\'
|
|
# kind of ugly but sigmac seems not to handle double parenthesis "(("
|
|
# we should prefer something like : selection_1 and not false_positives and ((selection_2 and selection_3) or (selection_4 and selection_5) or selection_6)
|
|
condition: (selection_2 and selection_3 and not false_positives) or (selection_4 and selection_5 and not false_positives) or (selection_6 and not false_positives)
|
|
falsepositives:
|
|
- Legitimate administrator or developer creating legitimate executable files in a web application folder
|