CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
906319bae5dec13aeb8edd8a3d7a64ceb18c07ca
hayabusa/rules/sigma/process_creation/win_webshell_detection.yml
DustInDark 0cfa806baf Feature/addruletype to sigma rule#230 (#235) 
* added ruletype to SIGMA rule #230

* added ruletype to SIGMA rule converter tool #231
2021-11-28 18:14:51 +09:00

87 lines
2.0 KiB
YAML
Raw Blame History

title: Webshell Detection With Command Line Keywords
author: Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community
date: 2017/01/01
description: Detects certain command line parameters often used during reconnaissance
activity via web shells
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
Image: '*\wmic.exe'
SELECTION_11:
CommandLine: '* /node:*'
SELECTION_12:
Image:
- '*\whoami.exe'
- '*\systeminfo.exe'
- '*\quser.exe'
- '*\ipconfig.exe'
- '*\pathping.exe'
- '*\tracert.exe'
- '*\netstat.exe'
- '*\schtasks.exe'
- '*\vssadmin.exe'
- '*\wevtutil.exe'
- '*\tasklist.exe'
SELECTION_13:
CommandLine:
- '* Test-NetConnection *'
- '*dir \\*'
SELECTION_2:
ParentImage:
- '*\w3wp.exe'
- '*\php-cgi.exe'
- '*\nginx.exe'
- '*\httpd.exe'
SELECTION_3:
ParentImage:
- '*\apache*'
- '*\tomcat*'
SELECTION_4:
EventID: 1
SELECTION_5:
Image:
- '*\net.exe'
- '*\net1.exe'
SELECTION_6:
CommandLine:
- '* user *'
- '* use *'
- '* group *'
SELECTION_7:
Image: '*\ping.exe'
SELECTION_8:
CommandLine: '* -n *'
SELECTION_9:
CommandLine:
- '*&cd&echo*'
- '*cd /d *'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4 and (((SELECTION_5
and SELECTION_6) or (SELECTION_7 and SELECTION_8) or SELECTION_9) or (SELECTION_10
and SELECTION_11) or SELECTION_12 or SELECTION_13)))
falsepositives:
- unknown
fields:
- CommandLine
- ParentCommandLine
id: bed2a484-9348-4143-8a8a-b801c979301c
level: high
logsource:
category: process_creation
product: windows
modified: 2021/03/02
references:
- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
- https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
status: experimental
tags:
- attack.persistence
- attack.t1505.003
- attack.t1018
- attack.t1033
- attack.t1087
- attack.privilege_escalation
- attack.t1100
ruletype: SIGMA
Reference in New Issue View Git Blame Copy Permalink