Webshell Hacking Activity Patterns
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
Sigma rule (View on GitHub)
1title: Webshell Hacking Activity Patterns
2id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9
3status: test
4description: |
5 Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
6references:
7 - https://youtu.be/7aemGhaE9ds?t=641
8author: Florian Roth (Nextron Systems)
9date: 2022-03-17
10modified: 2023-11-09
11tags:
12 - attack.persistence
13 - attack.t1505.003
14 - attack.t1018
15 - attack.t1033
16 - attack.t1087
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 # Webserver
22 selection_webserver_image:
23 ParentImage|endswith:
24 - '\caddy.exe'
25 - '\httpd.exe'
26 - '\nginx.exe'
27 - '\php-cgi.exe'
28 - '\w3wp.exe'
29 - '\ws_tomcatservice.exe'
30 selection_webserver_characteristics_tomcat1:
31 ParentImage|endswith:
32 - '\java.exe'
33 - '\javaw.exe'
34 ParentImage|contains:
35 - '-tomcat-'
36 - '\tomcat'
37 selection_webserver_characteristics_tomcat2:
38 ParentImage|endswith:
39 - '\java.exe'
40 - '\javaw.exe'
41 CommandLine|contains:
42 - 'catalina.jar'
43 - 'CATALINA_HOME'
44 # Suspicious child processes
45 selection_child_1:
46 # Process dumping
47 CommandLine|contains|all:
48 - 'rundll32'
49 - 'comsvcs'
50 selection_child_2:
51 # Winrar exfil
52 CommandLine|contains|all:
53 - ' -hp'
54 - ' a '
55 - ' -m'
56 selection_child_3:
57 # User add
58 CommandLine|contains|all:
59 - 'net'
60 - ' user '
61 - ' /add'
62 selection_child_4:
63 CommandLine|contains|all:
64 - 'net'
65 - ' localgroup '
66 - ' administrators '
67 - '/add'
68 selection_child_5:
69 Image|endswith:
70 # Credential stealing
71 - '\ntdsutil.exe'
72 # AD recon
73 - '\ldifde.exe'
74 - '\adfind.exe'
75 # Process dumping
76 - '\procdump.exe'
77 - '\Nanodump.exe'
78 # Destruction / ransom groups
79 - '\vssadmin.exe'
80 - '\fsutil.exe'
81 selection_child_6:
82 # SUspicious patterns
83 CommandLine|contains:
84 - ' -decode ' # Used with certutil
85 - ' -NoP ' # Often used in malicious PowerShell commands
86 - ' -W Hidden ' # Often used in malicious PowerShell commands
87 - ' /decode ' # Used with certutil
88 - ' /ticket:' # Rubeus
89 - ' sekurlsa' # Mimikatz
90 - '.dmp full' # Process dumping method apart from procdump
91 - '.downloadfile(' # PowerShell download command
92 - '.downloadstring(' # PowerShell download command
93 - 'FromBase64String' # PowerShell encoded payload
94 - 'process call create' # WMIC process creation
95 - 'reg save ' # save registry SAM - syskey extraction
96 - 'whoami /priv'
97 condition: 1 of selection_webserver_* and 1 of selection_child_*
98falsepositives:
99 - Unlikely
100level: high
References
Related rules
- Chopper Webshell Process Pattern
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
- Certificate Request Export to Exchange Webserver
- Cisco Discovery
- DEWMODE Webshell Access