CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
46b0594150f79a15992cc451384f4e204c673dd3
hayabusa/rules/sigma/process_creation/win_webshell_detection.yml
itiB 83d891b2fa Feature/rm submodule (#312) 
* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00

85 lines
2.0 KiB
YAML
Raw Blame History

title: Webshell Detection With Command Line Keywords
ruletype: Sigma
author: Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community
date: 2017/01/01
description: Detects certain command line parameters often used during reconnaissance
activity via web shells
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
CommandLine: '* /node:*'
SELECTION_11:
Image:
- '*\whoami.exe'
- '*\systeminfo.exe'
- '*\quser.exe'
- '*\ipconfig.exe'
- '*\pathping.exe'
- '*\tracert.exe'
- '*\netstat.exe'
- '*\schtasks.exe'
- '*\vssadmin.exe'
- '*\wevtutil.exe'
- '*\tasklist.exe'
SELECTION_12:
CommandLine:
- '* Test-NetConnection *'
- '*dir \\*'
SELECTION_2:
ParentImage:
- '*\w3wp.exe'
- '*\php-cgi.exe'
- '*\nginx.exe'
- '*\httpd.exe'
SELECTION_3:
ParentImage:
- '*\apache*'
- '*\tomcat*'
SELECTION_4:
Image:
- '*\net.exe'
- '*\net1.exe'
SELECTION_5:
CommandLine:
- '* user *'
- '* use *'
- '* group *'
SELECTION_6:
Image: '*\ping.exe'
SELECTION_7:
CommandLine: '* -n *'
SELECTION_8:
CommandLine:
- '*&cd&echo*'
- '*cd /d *'
SELECTION_9:
Image: '*\wmic.exe'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (((SELECTION_4 and
SELECTION_5) or (SELECTION_6 and SELECTION_7) or SELECTION_8) or (SELECTION_9
and SELECTION_10) or SELECTION_11 or SELECTION_12))
falsepositives:
- unknown
fields:
- CommandLine
- ParentCommandLine
id: bed2a484-9348-4143-8a8a-b801c979301c
level: high
logsource:
category: process_creation
product: windows
modified: 2021/03/02
references:
- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
- https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
status: experimental
tags:
- attack.persistence
- attack.t1505.003
- attack.t1018
- attack.t1033
- attack.t1087
- attack.privilege_escalation
- attack.t1100
Reference in New Issue View Git Blame Copy Permalink