Webshell ReGeorg Detection Via Web Logs

 1title: Webshell ReGeorg Detection Via Web Logs
 2id: 2ea44a60-cfda-11ea-87d0-0242ac130003
 3status: test
 4description: Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.
 5references:
 6    - https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3
 7    - https://github.com/sensepost/reGeorg
 8author: Cian Heasley
 9date: 2020-08-04
10modified: 2023-01-02
11tags:
12    - attack.persistence
13    - attack.t1505.003
14logsource:
15    category: webserver
16detection:
17    selection:
18        cs-uri-query|contains:
19            - 'cmd=read'
20            - 'connect&target'
21            - 'cmd=connect'
22            - 'cmd=disconnect'
23            - 'cmd=forward'
24    filter:
25        cs-referer: null
26        cs-user-agent: null
27        cs-method: POST
28    condition: selection and filter
29falsepositives:
30    - Web applications that use the same URL parameters as ReGeorg
31fields:
32    - cs-uri-query
33    - cs-referer
34    - cs-method
35    - cs-User-Agent
36level: high

References

• https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3

  
  Read More

• GitHub - sensepost/reGeorg: The successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.

  

  The successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn. - sensepost/reGeorg

  
  Read More

Related rules

• CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
• Certificate Request Export to Exchange Webserver
• Chopper Webshell Process Pattern
• DEWMODE Webshell Access
• Exchange Set OabVirtualDirectory ExternalUrl Property