Webshell Hacking Activity Patterns
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
Sigma rule (View on GitHub)
1title: Webshell Hacking Activity Patterns
2id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9
3status: test
4description: |
5 Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
6references:
7 - https://youtu.be/7aemGhaE9ds?t=641
8author: Florian Roth (Nextron Systems)
9date: 2022-03-17
10modified: 2023-11-09
11tags:
12 - attack.persistence
13 - attack.discovery
14 - attack.t1505.003
15 - attack.t1018
16 - attack.t1033
17 - attack.t1087
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 # Webserver
23 selection_webserver_image:
24 ParentImage|endswith:
25 - '\caddy.exe'
26 - '\httpd.exe'
27 - '\nginx.exe'
28 - '\php-cgi.exe'
29 - '\w3wp.exe'
30 - '\ws_tomcatservice.exe'
31 selection_webserver_characteristics_tomcat1:
32 ParentImage|endswith:
33 - '\java.exe'
34 - '\javaw.exe'
35 ParentImage|contains:
36 - '-tomcat-'
37 - '\tomcat'
38 selection_webserver_characteristics_tomcat2:
39 ParentImage|endswith:
40 - '\java.exe'
41 - '\javaw.exe'
42 CommandLine|contains:
43 - 'catalina.jar'
44 - 'CATALINA_HOME'
45 # Suspicious child processes
46 selection_child_1:
47 # Process dumping
48 CommandLine|contains|all:
49 - 'rundll32'
50 - 'comsvcs'
51 selection_child_2:
52 # Winrar exfil
53 CommandLine|contains|all:
54 - ' -hp'
55 - ' a '
56 - ' -m'
57 selection_child_3:
58 # User add
59 CommandLine|contains|all:
60 - 'net'
61 - ' user '
62 - ' /add'
63 selection_child_4:
64 CommandLine|contains|all:
65 - 'net'
66 - ' localgroup '
67 - ' administrators '
68 - '/add'
69 selection_child_5:
70 Image|endswith:
71 # Credential stealing
72 - '\ntdsutil.exe'
73 # AD recon
74 - '\ldifde.exe'
75 - '\adfind.exe'
76 # Process dumping
77 - '\procdump.exe'
78 - '\Nanodump.exe'
79 # Destruction / ransom groups
80 - '\vssadmin.exe'
81 - '\fsutil.exe'
82 selection_child_6:
83 # SUspicious patterns
84 CommandLine|contains:
85 - ' -decode ' # Used with certutil
86 - ' -NoP ' # Often used in malicious PowerShell commands
87 - ' -W Hidden ' # Often used in malicious PowerShell commands
88 - ' /decode ' # Used with certutil
89 - ' /ticket:' # Rubeus
90 - ' sekurlsa' # Mimikatz
91 - '.dmp full' # Process dumping method apart from procdump
92 - '.downloadfile(' # PowerShell download command
93 - '.downloadstring(' # PowerShell download command
94 - 'FromBase64String' # PowerShell encoded payload
95 - 'process call create' # WMIC process creation
96 - 'reg save ' # save registry SAM - syskey extraction
97 - 'whoami /priv'
98 condition: 1 of selection_webserver_* and 1 of selection_child_*
99falsepositives:
100 - Unlikely
101level: high
References
Related rules
- Chopper Webshell Process Pattern
- Webshell Detection With Command Line Keywords
- Cisco Discovery
- HackTool - winPEAS Execution
- SharpHound Recon Sessions