DEWMODE Webshell Access

Aug 12, 2024 · attack.persistence attack.t1505.003 detection.emerging-threats ·

Detects access to DEWMODE webshell as described in FIREEYE report

Sigma rule (View on GitHub)

 1title: DEWMODE Webshell Access
 2id: fdf96c90-42d5-4406-8a9c-14a2c9a016b5
 3status: test
 4description: Detects access to DEWMODE webshell as described in FIREEYE report
 5references:
 6    - https://www.mandiant.com/resources/blog/accellion-fta-exploited-for-data-theft-and-extortion
 7author: Florian Roth (Nextron Systems)
 8date: 2021-02-22
 9modified: 2023-01-02
10tags:
11    - attack.persistence
12    - attack.t1505.003
13    - detection.emerging-threats
14logsource:
15    category: webserver
16detection:
17    selection1:
18        cs-uri-query|contains|all:
19            - '?dwn='
20            - '&fn='
21            - '.html?'
22    selection2:
23        cs-uri-query|contains|all:
24            - '&dwn='
25            - '?fn='
26            - '.html?'
27    condition: 1 of selection*
28fields:
29    - client_ip
30    - response
31falsepositives:
32    - Unknown
33level: high

References

Threat Actors Exploit Accellion FTA for Data Theft and Extortion | Google Cloud Blog

Threat actors exploit multiple zero-day vulnerabilities in Accellion's legacy File Transfer Appliance to install a newly discovered web shell named DEWMODE.

Read More

DEWMODE Webshell Access

Sigma rule (View on GitHub)

References

Threat Actors Exploit Accellion FTA for Data Theft and Extortion | Google Cloud Blog

Related rules