Windows Webshell Strings

 1title: Windows Webshell Strings
 2id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729
 3status: test
 4description: Detects common commands used in Windows webshells
 5references:
 6    - https://bad-jubies.github.io/RCE-NOW-WHAT/
 7    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
 8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 9date: 2017-02-19
10modified: 2022-11-18
11tags:
12    - attack.persistence
13    - attack.t1505.003
14logsource:
15    category: webserver
16detection:
17    selection_method:
18        cs-method: 'GET'
19    selection_keywords:
20        # The "%20" is URL encoded version of the space
21        # The "%2B" is URL encoded version of the "+"
22        - '=whoami'
23        - '=net%20user'
24        - '=net+user'
25        - '=net%2Buser'
26        - '=cmd%20/c%'
27        - '=cmd+/c+'
28        - '=cmd%2B/c%'
29        - '=cmd%20/r%'
30        - '=cmd+/r+'
31        - '=cmd%2B/r%'
32        - '=cmd%20/k%'
33        - '=cmd+/k+'
34        - '=cmd%2B/k%'
35        - '=powershell%'
36        - '=powershell+'
37        - '=tasklist%'
38        - '=tasklist+'
39        - '=wmic%'
40        - '=wmic+'
41        - '=ssh%'
42        - '=ssh+'
43        - '=python%'
44        - '=python+'
45        - '=python3%'
46        - '=python3+'
47        - '=ipconfig'
48        - '=wget%'
49        - '=wget+'
50        - '=curl%'
51        - '=curl+'
52        - '=certutil'
53        - '=copy%20%5C%5C'
54        - '=dsquery%'
55        - '=dsquery+'
56        - '=nltest%'
57        - '=nltest+'
58    condition: all of selection_*
59fields:
60    - client_ip
61    - vhost
62    - url
63    - response
64falsepositives:
65    - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
66    - User searches in search boxes of the respective website
67level: high