Webshell Hacking Activity Patterns

calendar Nov 10, 2023 · attack.persistence attack.t1505.003 attack.t1018 attack.t1033 attack.t1087  ·
Share on: linkedin copy

Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system

Sigma rule (View on GitHub)

  1title: Webshell Hacking Activity Patterns
  2id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9
  3status: test
  4description: |
  5        Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
  6references:
  7    - https://youtu.be/7aemGhaE9ds?t=641
  8author: Florian Roth (Nextron Systems)
  9date: 2022/03/17
 10modified: 2023/11/09
 11tags:
 12    - attack.persistence
 13    - attack.t1505.003
 14    - attack.t1018
 15    - attack.t1033
 16    - attack.t1087
 17logsource:
 18    category: process_creation
 19    product: windows
 20detection:
 21   # Webserver
 22    selection_webserver_image:
 23        ParentImage|endswith:
 24            - '\caddy.exe'
 25            - '\httpd.exe'
 26            - '\nginx.exe'
 27            - '\php-cgi.exe'
 28            - '\w3wp.exe'
 29            - '\ws_tomcatservice.exe'
 30    selection_webserver_characteristics_tomcat1:
 31        ParentImage|endswith:
 32            - '\java.exe'
 33            - '\javaw.exe'
 34        ParentImage|contains:
 35            - '-tomcat-'
 36            - '\tomcat'
 37    selection_webserver_characteristics_tomcat2:
 38        ParentImage|endswith:
 39            - '\java.exe'
 40            - '\javaw.exe'
 41        CommandLine|contains:
 42            - 'catalina.jar'
 43            - 'CATALINA_HOME'
 44    # Suspicious child processes
 45    selection_child_1:
 46        # Process dumping
 47        CommandLine|contains|all:
 48            - 'rundll32'
 49            - 'comsvcs'
 50    selection_child_2:
 51        # Winrar exfil
 52        CommandLine|contains|all:
 53            - ' -hp'
 54            - ' a '
 55            - ' -m'
 56    selection_child_3:
 57        # User add
 58        CommandLine|contains|all:
 59            - 'net'
 60            - ' user '
 61            - ' /add'
 62    selection_child_4:
 63        CommandLine|contains|all:
 64            - 'net'
 65            - ' localgroup '
 66            - ' administrators '
 67            - '/add'
 68    selection_child_5:
 69        Image|endswith:
 70            # Credential stealing
 71            - '\ntdsutil.exe'
 72            # AD recon
 73            - '\ldifde.exe'
 74            - '\adfind.exe'
 75            # Process dumping
 76            - '\procdump.exe'
 77            - '\Nanodump.exe'
 78            # Destruction / ransom groups
 79            - '\vssadmin.exe'
 80            - '\fsutil.exe'
 81    selection_child_6:
 82        # SUspicious patterns
 83        CommandLine|contains:
 84            - ' -decode '  # Used with certutil
 85            - ' -NoP '  # Often used in malicious PowerShell commands
 86            - ' -W Hidden '  # Often used in malicious PowerShell commands
 87            - ' /decode '  # Used with certutil
 88            - ' /ticket:'  # Rubeus
 89            - ' sekurlsa'  # Mimikatz
 90            - '.dmp full'  # Process dumping method apart from procdump
 91            - '.downloadfile('  # PowerShell download command
 92            - '.downloadstring('  # PowerShell download command
 93            - 'FromBase64String' # PowerShell encoded payload
 94            - 'process call create' # WMIC process creation
 95            - 'reg save '  # save registry SAM - syskey extraction
 96            - 'whoami /priv'
 97    condition: 1 of selection_webserver_* and 1 of selection_child_*
 98falsepositives:
 99    - Unlikely
100level: high

References

Related rules

to-top