Suspicious Windows Strings In URI
Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication
Sigma rule (View on GitHub)
1title: Suspicious Windows Strings In URI
2id: 9f6a34b4-2688-4eb7-a7f5-e39fef573d0e
3status: test
4description: Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication
5references:
6 - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/06/06
9modified: 2023/01/02
10tags:
11 - attack.persistence
12 - attack.exfiltration
13 - attack.t1505.003
14logsource:
15 category: webserver
16detection:
17 selection:
18 cs-uri-query|contains:
19 - '=C:/Users'
20 - '=C:/Program%20Files'
21 - '=C:/Windows'
22 - '=C%3A%5CUsers'
23 - '=C%3A%5CProgram%20Files'
24 - '=C%3A%5CWindows'
25 condition: selection
26falsepositives:
27 - Legitimate application and websites that use windows paths in their URL
28level: high
References
-
In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus.
Read More
Related rules
- Linux Webshell Indicators
- Antivirus Web Shell Detection
- Potential Webshell Creation On Static Website
- Suspicious ASPX File Drop by Exchange
- Suspicious File Drop by Exchange