SigmaHQ/rules/windows/malware/av_webshell.yml
2020-10-15 16:14:08 -03:00

33 lines
817 B
YAML

title: Antivirus Web Shell Detection
id: fdf135a2-9241-4f96-a114-bb404948f736
description: Detects a highly relevant Antivirus alert that reports a web shell
date: 2018/09/09
modified: 2019/10/04
author: Florian Roth
references:
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
tags:
- attack.persistence
- attack.t1100
- attack.t1505.003
logsource:
product: antivirus
detection:
selection:
Signature|startswith:
- "PHP/Backdoor"
- "JSP/Backdoor"
- "ASP/Backdoor"
- "Backdoor.PHP"
- "Backdoor.JSP"
- "Backdoor.ASP"
Signature|contains:
- "Webshell"
condition: selection
fields:
- FileName
- User
falsepositives:
- Unlikely
level: critical