valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 09:35:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6fdfa69789
atomic-threat-coverage/Atomic_Threat_Coverage/Detection_Rules/win_webshell_recon_detection.md
sn0w0tter fbcac39414 URL to subtechniques fixed
2020-10-07 00:26:25 +02:00

7.7 KiB
Raw Blame History

Title Webshell Recon Detection Via CommandLine & Processes
Description Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed.
ATT&CK Tactic
ATT&CK Technique
Data Needed
Trigger
Severity Level high
False Positives
  • unknown
Development Status experimental
References There are no documented References for this Detection Rule yet
Author Cian Heasley

Detection Rules

Sigma rule

title: Webshell Recon Detection Via CommandLine & Processes
id: f64e5c19-879c-4bae-b471-6d84c8339677
status: experimental
description: Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed.
author: Cian Heasley
reference:
    - https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html
date: 2020/07/22
tags:
    - attack.persistence
    - attack.t1505.003
    - attack.privilege_escalation       # an old one
    - attack.t1100      # an old one
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|contains:
            - '*\apache*'
            - '*\tomcat*'
            - '*\w3wp.exe'
            - '*\php-cgi.exe'
            - '*\nginx.exe'
            - '*\httpd.exe'
        Image|endswith:
            - '*\cmd.exe'
        CommandLine|contains:
            - '*perl --help*'
            - '*python --help*'
            - '*wget --help*'
            - '*perl -h*'
    condition: selection
fields:
    - Image
    - CommandLine
    - ParentCommandLine
falsepositives:
    - unknown
level: high

powershell

Get-WinEvent | where {(($_.message -match "ParentImage.*.*\\\\apache.*" -or $_.message -match "ParentImage.*.*\\\\tomcat.*" -or $_.message -match "ParentImage.*.*\\\\w3wp.exe.*" -or $_.message -match "ParentImage.*.*\\\\php-cgi.exe.*" -or $_.message -match "ParentImage.*.*\\\\nginx.exe.*" -or $_.message -match "ParentImage.*.*\\\\httpd.exe.*") -and ($_.message -match "Image.*.*\\\\cmd.exe") -and ($_.message -match "CommandLine.*.*perl --help.*" -or $_.message -match "CommandLine.*.*python --help.*" -or $_.message -match "CommandLine.*.*wget --help.*" -or $_.message -match "CommandLine.*.*perl -h.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

es-qs

(winlog.event_data.ParentImage.keyword:(*\\\\apache* OR *\\\\tomcat* OR *\\\\w3wp.exe* OR *\\\\php\\-cgi.exe* OR *\\\\nginx.exe* OR *\\\\httpd.exe*) AND winlog.event_data.Image.keyword:(*\\\\cmd.exe) AND winlog.event_data.CommandLine.keyword:(*perl\\ \\-\\-help* OR *python\\ \\-\\-help* OR *wget\\ \\-\\-help* OR *perl\\ \\-h*))

xpack-watcher

curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/f64e5c19-879c-4bae-b471-6d84c8339677 <<EOF\n{\n  "metadata": {\n    "title": "Webshell Recon Detection Via CommandLine & Processes",\n    "description": "Looking for processes spawned by web server components that indicate reconnaissance by popular public domain webshells for whether perl, python or wget are installed.",\n    "tags": [\n      "attack.persistence",\n      "attack.t1505.003",\n      "attack.privilege_escalation",\n      "attack.t1100"\n    ],\n    "query": "(winlog.event_data.ParentImage.keyword:(*\\\\\\\\apache* OR *\\\\\\\\tomcat* OR *\\\\\\\\w3wp.exe* OR *\\\\\\\\php\\\\-cgi.exe* OR *\\\\\\\\nginx.exe* OR *\\\\\\\\httpd.exe*) AND winlog.event_data.Image.keyword:(*\\\\\\\\cmd.exe) AND winlog.event_data.CommandLine.keyword:(*perl\\\\ \\\\-\\\\-help* OR *python\\\\ \\\\-\\\\-help* OR *wget\\\\ \\\\-\\\\-help* OR *perl\\\\ \\\\-h*))"\n  },\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "bool": {\n              "must": [\n                {\n                  "query_string": {\n                    "query": "(winlog.event_data.ParentImage.keyword:(*\\\\\\\\apache* OR *\\\\\\\\tomcat* OR *\\\\\\\\w3wp.exe* OR *\\\\\\\\php\\\\-cgi.exe* OR *\\\\\\\\nginx.exe* OR *\\\\\\\\httpd.exe*) AND winlog.event_data.Image.keyword:(*\\\\\\\\cmd.exe) AND winlog.event_data.CommandLine.keyword:(*perl\\\\ \\\\-\\\\-help* OR *python\\\\ \\\\-\\\\-help* OR *wget\\\\ \\\\-\\\\-help* OR *perl\\\\ \\\\-h*))",\n                    "analyze_wildcard": true\n                  }\n                }\n              ],\n              "filter": {\n                "range": {\n                  "timestamp": {\n                    "gte": "now-30m/m"\n                  }\n                }\n              }\n            }\n          }\n        },\n        "indices": [\n          "winlogbeat-*"\n        ]\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "throttle_period": "15m",\n      "email": {\n        "profile": "standard",\n        "from": "root@localhost",\n        "to": "root@localhost",\n        "subject": "Sigma Rule \'Webshell Recon Detection Via CommandLine & Processes\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n            Image = {{_source.Image}}\\n      CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n

graylog

(ParentImage.keyword:(*\\\\apache* *\\\\tomcat* *\\\\w3wp.exe* *\\\\php\\-cgi.exe* *\\\\nginx.exe* *\\\\httpd.exe*) AND Image.keyword:(*\\\\cmd.exe) AND CommandLine.keyword:(*perl \\-\\-help* *python \\-\\-help* *wget \\-\\-help* *perl \\-h*))

splunk

((ParentImage="*\\\\apache*" OR ParentImage="*\\\\tomcat*" OR ParentImage="*\\\\w3wp.exe*" OR ParentImage="*\\\\php-cgi.exe*" OR ParentImage="*\\\\nginx.exe*" OR ParentImage="*\\\\httpd.exe*") (Image="*\\\\cmd.exe") (CommandLine="*perl --help*" OR CommandLine="*python --help*" OR CommandLine="*wget --help*" OR CommandLine="*perl -h*")) | table Image,CommandLine,ParentCommandLine

logpoint

(ParentImage IN ["*\\\\apache*", "*\\\\tomcat*", "*\\\\w3wp.exe*", "*\\\\php-cgi.exe*", "*\\\\nginx.exe*", "*\\\\httpd.exe*"] Image IN ["*\\\\cmd.exe"] CommandLine IN ["*perl --help*", "*python --help*", "*wget --help*", "*perl -h*"])

grep

grep -P '^(?:.*(?=.*(?:.*.*\\apache.*|.*.*\\tomcat.*|.*.*\\w3wp\\.exe.*|.*.*\\php-cgi\\.exe.*|.*.*\\nginx\\.exe.*|.*.*\\httpd\\.exe.*))(?=.*(?:.*.*\\cmd\\.exe))(?=.*(?:.*.*perl --help.*|.*.*python --help.*|.*.*wget --help.*|.*.*perl -h.*)))'