DEWMODE Webshell Access

 1title: DEWMODE Webshell Access
 2id: fdf96c90-42d5-4406-8a9c-14a2c9a016b5
 3status: test
 4description: Detects access to DEWMODE webshell as described in FIREEYE report
 5references:
 6    - https://www.mandiant.com/resources/blog/accellion-fta-exploited-for-data-theft-and-extortion
 7author: Florian Roth (Nextron Systems)
 8date: 2021/02/22
 9modified: 2023/01/02
10tags:
11    - attack.persistence
12    - attack.t1505.003
13    - detection.emerging_threats
14logsource:
15    category: webserver
16detection:
17    selection1:
18        cs-uri-query|contains|all:
19            - '?dwn='
20            - '&fn='
21            - '.html?'
22    selection2:
23        cs-uri-query|contains|all:
24            - '&dwn='
25            - '?fn='
26            - '.html?'
27    condition: 1 of selection*
28fields:
29    - client_ip
30    - response
31falsepositives:
32    - Unknown
33level: high

References

• Threat Actors Exploit Accellion FTA for Data Theft and Extortion

  

  Threat actors exploit multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance to install a newly discovered web shell named DEWMODE.

  
  Read More

Related rules

• CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
• Oracle WebLogic Exploit
• Solarwinds SUPERNOVA Webshell Access
• COLDSTEEL Persistence Service Creation
• Defrag Deactivation