valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
725ab99e90
SigmaHQ/rules/windows/process_creation/win_webshell_detection.yml
Thomas Patzke 7602309138 Increased indentation to 4 
* Converted (to generic sigma) rules
* Converter outputs by default with indentation 4
2019-03-02 00:14:20 +01:00

32 lines
772 B
YAML
Raw Blame History

title: Webshell Detection With Command Line Keywords
description: Detects certain command line parameters often used during reconnaissance activity via web shells
author: Florian Roth
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage:
- '*\apache*'
- '*\tomcat*'
- '*\w3wp.exe'
- '*\php-cgi.exe'
- '*\nginx.exe'
- '*\httpd.exe'
CommandLine:
- whoami
- net user
- ping -n
- systeminfo
condition: selection
fields:
- CommandLine
- ParentCommandLine
tags:
- attack.privilege_escalation
- attack.persistence
- attack.t1100
falsepositives:
- unknown
level: high
Reference in New Issue View Git Blame Copy Permalink