Potential Web Shell ASPX File Creation

  1[metadata]
  2creation_date = "2025/07/24"
  3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/08/18"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the creation of ASPX files in specific directories that are commonly targeted by attackers to deploy web shells.
 11"""
 12from = "now-9m"
 13index = [
 14    "winlogbeat-*",
 15    "logs-endpoint.events.file-*",
 16    "logs-windows.sysmon_operational-*",
 17    "endgame-*",
 18    "logs-sentinel_one_cloud_funnel.*",
 19    "logs-m365_defender.event-*",
 20    "logs-crowdstrike.fdr*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Potential Web Shell ASPX File Creation"
 25note = """ ## Triage and analysis
 26
 27> **Disclaimer**:
 28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 29
 30### Investigating Potential Web Shell ASPX File Creation
 31
 32Web shells are malicious scripts uploaded to web servers, often exploiting vulnerabilities in web applications. ASPX files, used in Windows environments, can be manipulated by attackers to maintain persistence and execute arbitrary commands. Adversaries target specific directories for deploying these files. The detection rule identifies suspicious ASPX file creation in these directories, excluding legitimate processes, to flag potential web shell activity.
 33
 34### Possible investigation steps
 35
 36- Review the file path where the ASPX file was created to confirm it matches the targeted directory pattern: "?:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*". This can help determine if the file is in a location commonly exploited for web shells.
 37- Examine the process that created the ASPX file, ensuring it is not the legitimate "?:\\Windows\\System32\\msiexec.exe". Investigate the actual process responsible for the file creation to assess its legitimacy and potential malicious intent.
 38- Check the timestamp of the file creation event to correlate it with other suspicious activities or alerts on the host, which might provide additional context or evidence of compromise.
 39- Investigate the contents of the ASPX file to identify any malicious code or scripts that could indicate a web shell. Look for patterns or code snippets commonly associated with web shell functionality.
 40- Analyze network activity from the host around the time of the ASPX file creation to identify any unusual outbound connections or data transfers that might suggest communication with a command and control server.
 41- Review historical alerts and logs for the host to identify any previous suspicious activities or patterns that could indicate ongoing compromise or persistence mechanisms.
 42
 43### False positive analysis
 44
 45- Routine updates or installations of legitimate web server components may trigger alerts. Users can create exceptions for known update processes or installation paths to reduce false positives.
 46- Development or testing environments often generate ASPX files as part of normal operations. Exclude directories or processes associated with these environments to prevent unnecessary alerts.
 47- Automated scripts or tools used for web server maintenance might create ASPX files. Identify and whitelist these scripts to avoid false detections.
 48- Legitimate third-party applications that integrate with web server extensions may create ASPX files. Monitor and whitelist these applications to ensure they do not trigger false positives.
 49- Scheduled tasks or system processes that interact with web server directories can be mistaken for malicious activity. Review and exclude these tasks if they are verified as non-threatening.
 50
 51### Response and remediation
 52
 53- Isolate the affected server from the network to prevent further malicious activity and lateral movement.
 54- Terminate any suspicious processes associated with the creation of the ASPX file, especially those not originating from legitimate executables like msiexec.exe.
 55- Remove the identified ASPX file from the targeted directory to eliminate the potential web shell.
 56- Conduct a thorough scan of the server using updated antivirus and endpoint detection tools to identify and remove any additional malicious files or processes.
 57- Review server logs and network traffic for signs of unauthorized access or data exfiltration, and document any findings for further analysis.
 58- Restore the server from a known good backup if necessary, ensuring that the backup is free from any malicious artifacts.
 59- Escalate the incident to the security operations team for further investigation and to assess the need for additional security measures, such as patching vulnerabilities or enhancing monitoring capabilities.
 60"""
 61references = [
 62    "https://blog.viettelcybersecurity.com/toolshell-a-critical-sharepoint-vulnerability-chain-under-active-exploitation/",
 63    "https://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/",
 64    "https://www.rapid7.com/blog/post/2024/10/30/investigating-a-sharepoint-compromise-ir-tales-from-the-field/",
 65]
 66risk_score = 21
 67rule_id = "32144184-7bfa-4541-9c3f-b65f16d24df9"
 68severity = "low"
 69tags = [
 70    "Domain: Endpoint",
 71    "OS: Windows",
 72    "Use Case: Threat Detection",
 73    "Tactic: Persistence",
 74    "Data Source: Elastic Endgame",
 75    "Data Source: Elastic Defend",
 76    "Data Source: Sysmon",
 77    "Data Source: SentinelOne",
 78    "Data Source: Microsoft Defender for Endpoint",
 79    "Data Source: Crowdstrike",
 80    "Resources: Investigation Guide",
 81]
 82timestamp_override = "event.ingested"
 83type = "eql"
 84
 85query = '''
 86file where host.os.type == "windows" and event.type != "deletion" and
 87  file.extension : "aspx" and
 88  file.path : "?:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*" and
 89  not process.executable: "?:\\Windows\\System32\\msiexec.exe"
 90'''
 91
 92[[rule.threat]]
 93framework = "MITRE ATT&CK"
 94[[rule.threat.technique]]
 95id = "T1505"
 96name = "Server Software Component"
 97reference = "https://attack.mitre.org/techniques/T1505/"
 98[[rule.threat.technique.subtechnique]]
 99id = "T1505.003"
100name = "Web Shell"
101reference = "https://attack.mitre.org/techniques/T1505/003/"
102
103
104
105[rule.threat.tactic]
106id = "TA0003"
107name = "Persistence"
108reference = "https://attack.mitre.org/tactics/TA0003/"