Webshell Hacking Activity Patterns

Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system

Sigma rule (View on GitHub)

  1title: Webshell Hacking Activity Patterns
  2id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9
  3status: test
  4description: |
  5        Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
  6references:
  7    - https://youtu.be/7aemGhaE9ds?t=641
  8author: Florian Roth (Nextron Systems)
  9date: 2022-03-17
 10modified: 2023-11-09
 11tags:
 12    - attack.persistence
 13    - attack.discovery
 14    - attack.t1505.003
 15    - attack.t1018
 16    - attack.t1033
 17    - attack.t1087
 18logsource:
 19    category: process_creation
 20    product: windows
 21detection:
 22   # Webserver
 23    selection_webserver_image:
 24        ParentImage|endswith:
 25            - '\caddy.exe'
 26            - '\httpd.exe'
 27            - '\nginx.exe'
 28            - '\php-cgi.exe'
 29            - '\w3wp.exe'
 30            - '\ws_tomcatservice.exe'
 31    selection_webserver_characteristics_tomcat1:
 32        ParentImage|endswith:
 33            - '\java.exe'
 34            - '\javaw.exe'
 35        ParentImage|contains:
 36            - '-tomcat-'
 37            - '\tomcat'
 38    selection_webserver_characteristics_tomcat2:
 39        ParentImage|endswith:
 40            - '\java.exe'
 41            - '\javaw.exe'
 42        CommandLine|contains:
 43            - 'catalina.jar'
 44            - 'CATALINA_HOME'
 45    # Suspicious child processes
 46    selection_child_1:
 47        # Process dumping
 48        CommandLine|contains|all:
 49            - 'rundll32'
 50            - 'comsvcs'
 51    selection_child_2:
 52        # Winrar exfil
 53        CommandLine|contains|all:
 54            - ' -hp'
 55            - ' a '
 56            - ' -m'
 57    selection_child_3:
 58        # User add
 59        CommandLine|contains|all:
 60            - 'net'
 61            - ' user '
 62            - ' /add'
 63    selection_child_4:
 64        CommandLine|contains|all:
 65            - 'net'
 66            - ' localgroup '
 67            - ' administrators '
 68            - '/add'
 69    selection_child_5:
 70        Image|endswith:
 71            # Credential stealing
 72            - '\ntdsutil.exe'
 73            # AD recon
 74            - '\ldifde.exe'
 75            - '\adfind.exe'
 76            # Process dumping
 77            - '\procdump.exe'
 78            - '\Nanodump.exe'
 79            # Destruction / ransom groups
 80            - '\vssadmin.exe'
 81            - '\fsutil.exe'
 82    selection_child_6:
 83        # SUspicious patterns
 84        CommandLine|contains:
 85            - ' -decode '  # Used with certutil
 86            - ' -NoP '  # Often used in malicious PowerShell commands
 87            - ' -W Hidden '  # Often used in malicious PowerShell commands
 88            - ' /decode '  # Used with certutil
 89            - ' /ticket:'  # Rubeus
 90            - ' sekurlsa'  # Mimikatz
 91            - '.dmp full'  # Process dumping method apart from procdump
 92            - '.downloadfile('  # PowerShell download command
 93            - '.downloadstring('  # PowerShell download command
 94            - 'FromBase64String' # PowerShell encoded payload
 95            - 'process call create' # WMIC process creation
 96            - 'reg save '  # save registry SAM - syskey extraction
 97            - 'whoami /priv'
 98    condition: 1 of selection_webserver_* and 1 of selection_child_*
 99falsepositives:
100    - Unlikely
101level: high

References

Related rules

to-top