Webshell Detection With Command Line Keywords
Detects certain command line parameters often used during reconnaissance activity via web shells
Sigma rule (View on GitHub)
1title: Webshell Detection With Command Line Keywords
2id: bed2a484-9348-4143-8a8a-b801c979301c
3status: test
4description: Detects certain command line parameters often used during reconnaissance activity via web shells
5references:
6 - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
7 - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
8author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community
9date: 2017-01-01
10modified: 2022-05-13
11tags:
12 - attack.persistence
13 - attack.t1505.003
14 - attack.t1018
15 - attack.t1033
16 - attack.t1087
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_webserver_image:
22 ParentImage|endswith:
23 - '\w3wp.exe'
24 - '\php-cgi.exe'
25 - '\nginx.exe'
26 - '\httpd.exe'
27 - '\caddy.exe'
28 - '\ws_tomcatservice.exe'
29 selection_webserver_characteristics_tomcat1:
30 ParentImage|endswith:
31 - '\java.exe'
32 - '\javaw.exe'
33 ParentImage|contains:
34 - '-tomcat-'
35 - '\tomcat'
36 selection_webserver_characteristics_tomcat2:
37 ParentImage|endswith:
38 - '\java.exe'
39 - '\javaw.exe'
40 CommandLine|contains:
41 - 'catalina.jar'
42 - 'CATALINA_HOME'
43 selection_susp_net_utility:
44 OriginalFileName:
45 - 'net.exe'
46 - 'net1.exe'
47 CommandLine|contains:
48 - ' user '
49 - ' use '
50 - ' group '
51 selection_susp_ping_utility:
52 OriginalFileName: 'ping.exe'
53 CommandLine|contains: ' -n '
54 selection_susp_change_dir:
55 CommandLine|contains:
56 - '&cd&echo' # china chopper web shell
57 - 'cd /d ' # https://www.computerhope.com/cdhlp.htm
58 selection_susp_wmic_utility:
59 OriginalFileName: 'wmic.exe'
60 CommandLine|contains: ' /node:'
61 selection_susp_misc_discovery_binaries:
62 - Image|endswith:
63 - '\dsquery.exe'
64 - '\find.exe'
65 - '\findstr.exe'
66 - '\ipconfig.exe'
67 - '\netstat.exe'
68 - '\nslookup.exe'
69 - '\pathping.exe'
70 - '\quser.exe'
71 - '\schtasks.exe'
72 - '\systeminfo.exe'
73 - '\tasklist.exe'
74 - '\tracert.exe'
75 - '\ver.exe'
76 - '\wevtutil.exe'
77 - '\whoami.exe'
78 - OriginalFileName:
79 - 'dsquery.exe'
80 - 'find.exe'
81 - 'findstr.exe'
82 - 'ipconfig.exe'
83 - 'netstat.exe'
84 - 'nslookup.exe'
85 - 'pathping.exe'
86 - 'quser.exe'
87 - 'schtasks.exe'
88 - 'sysinfo.exe'
89 - 'tasklist.exe'
90 - 'tracert.exe'
91 - 'ver.exe'
92 - 'VSSADMIN.EXE'
93 - 'wevtutil.exe'
94 - 'whoami.exe'
95 selection_susp_misc_discovery_commands:
96 CommandLine|contains:
97 - ' Test-NetConnection '
98 - 'dir \' # remote dir: dir \<redacted IP #3>\C$:\windows\temp\*.exe
99 condition: 1 of selection_webserver_* and 1 of selection_susp_*
100falsepositives:
101 - Unknown
102level: high
References
-
Decoded traffic: varc=newSystem.Diagnostics.ProcessStartInfo(System.Text.Encoding.GetEncoding(65001). GetString(System.Convert.FromBase64String(Request.Item["z1"]))); vare=newSystem.Diagnostics.Pro...
Read More -
The BumbleBee webshell is used by the xHunt Campaign to upload and download files to a compromised server and to move laterally on the network.
Read More
Related rules
- Chopper Webshell Process Pattern
- Webshell Hacking Activity Patterns
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
- Certificate Request Export to Exchange Webserver
- Cisco Discovery