mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 17:58:52 +00:00
023bf76363
Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed.
41 lines
1.1 KiB
YAML
41 lines
1.1 KiB
YAML
title: Webshell Recon Detection Via CommandLine & Processes
|
|
id: f64e5c19-879c-4bae-b471-6d84c8339677
|
|
status: experimental
|
|
description: Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed.
|
|
author: Cian Heasley
|
|
reference:
|
|
- https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html
|
|
date: 2020/07/22
|
|
tags:
|
|
- attack.privilege_escalation
|
|
- attack.persistence
|
|
- attack.t1100
|
|
- attack.t1505.003
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
ParentImage|contains:
|
|
- '*\apache*'
|
|
- '*\tomcat*'
|
|
- '*\w3wp.exe'
|
|
- '*\php-cgi.exe'
|
|
- '*\nginx.exe'
|
|
- '*\httpd.exe'
|
|
Image|endswith:
|
|
- '*\cmd.exe'
|
|
CommandLine|contains:
|
|
- '*perl --help*'
|
|
- '*python --help*'
|
|
- '*wget --help*'
|
|
- '*perl -h*'
|
|
condition: selection
|
|
fields:
|
|
- Image
|
|
- CommandLine
|
|
- ParentCommandLine
|
|
falsepositives:
|
|
- unknown
|
|
level: high
|