Potential Webshell Creation On Static Website

 1title: Potential Webshell Creation On Static Website
 2id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
 3status: test
 4description: Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
 5references:
 6    - PT ESC rule and personal experience
 7    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md
 8author: Beyu Denis, oscd.community, Tim Shelton, Thurein Oo
 9date: 2019/10/22
10modified: 2023/10/15
11tags:
12    - attack.persistence
13    - attack.t1505.003
14logsource:
15    product: windows
16    category: file_event
17detection:
18    selection_wwwroot_path:
19        TargetFilename|contains: '\inetpub\wwwroot\'
20    selection_wwwroot_ext:
21        TargetFilename|contains:
22            - '.ashx'
23            - '.asp'
24            - '.ph'
25            - '.soap'
26    selection_htdocs_path:
27        TargetFilename|contains:
28            - '\www\'
29            - '\htdocs\'
30            - '\html\'
31    selection_htdocs_ext:
32        TargetFilename|contains: '.ph'
33    # selection_tomcat_path:
34    #     TargetFilename|contains: '\webapps\ROOT'
35    # selection_tomcat_ext:
36    #     TargetFilename|contains:
37    #         - '.jsp' # .jspx, .jspf
38    #         - '.jsv'
39    #         - '.jsw'
40    filter_main_temp:  # FP when unpacking some executables in $TEMP
41        TargetFilename|contains:
42            - '\AppData\Local\Temp\'
43            - '\Windows\Temp\'
44    filter_main_system:
45        Image: 'System' # FP when backup/restore from drivers
46    filter_main_legitimate:
47        TargetFilename|contains: '\xampp'
48    condition: (all of selection_wwwroot_* or all of selection_htdocs_*) and not 1 of filter_main_*
49falsepositives:
50    - Legitimate administrator or developer creating legitimate executable files in a web application folder
51level: medium