Webshell Detection With Command Line Keywords

Dec 14, 2024 · attack.persistence attack.t1505.003 attack.t1018 attack.t1033 attack.t1087 ·

Detects certain command line parameters often used during reconnaissance activity via web shells

Sigma rule (View on GitHub)

  1title: Webshell Detection With Command Line Keywords
  2id: bed2a484-9348-4143-8a8a-b801c979301c
  3status: test
  4description: Detects certain command line parameters often used during reconnaissance activity via web shells
  5references:
  6    - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
  7    - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
  8    - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
  9author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson
 10date: 2017-01-01
 11modified: 2024-12-14
 12tags:
 13    - attack.persistence
 14    - attack.t1505.003
 15    - attack.t1018
 16    - attack.t1033
 17    - attack.t1087
 18logsource:
 19    category: process_creation
 20    product: windows
 21detection:
 22    selection_webserver_image:
 23        ParentImage|endswith:
 24            - '\w3wp.exe'
 25            - '\php-cgi.exe'
 26            - '\nginx.exe'
 27            - '\httpd.exe'
 28            - '\caddy.exe'
 29            - '\ws_tomcatservice.exe'
 30    selection_webserver_characteristics_tomcat1:
 31        ParentImage|endswith:
 32            - '\java.exe'
 33            - '\javaw.exe'
 34        ParentImage|contains:
 35            - '-tomcat-'
 36            - '\tomcat'
 37    selection_webserver_characteristics_tomcat2:
 38        ParentImage|endswith:
 39            - '\java.exe'
 40            - '\javaw.exe'
 41        CommandLine|contains:
 42            - 'catalina.jar'
 43            - 'CATALINA_HOME'
 44    selection_susp_net_utility:
 45        OriginalFileName:
 46            - 'net.exe'
 47            - 'net1.exe'
 48        CommandLine|contains:
 49            - ' user '
 50            - ' use '
 51            - ' group '
 52    selection_susp_ping_utility:
 53        OriginalFileName: 'ping.exe'
 54        CommandLine|contains: ' -n '
 55    selection_susp_change_dir:
 56        CommandLine|contains:
 57            - '&cd&echo'  # china chopper web shell
 58            - 'cd /d '  # https://www.computerhope.com/cdhlp.htm
 59    selection_susp_wmic_utility:
 60        OriginalFileName: 'wmic.exe'
 61        CommandLine|contains: ' /node:'
 62    selection_susp_powershell_cli:
 63        Image|endswith:
 64            - '\cmd.exe'
 65            - '\powershell.exe'
 66            - '\pwsh.exe'
 67        CommandLine|contains:
 68            - ' -enc '
 69            - ' -EncodedCommand '
 70            - ' -w hidden '
 71            - ' -windowstyle hidden'
 72            - '.WebClient).Download'
 73    selection_susp_misc_discovery_binaries:
 74        - Image|endswith:
 75              - '\dsquery.exe'
 76              - '\find.exe'
 77              - '\findstr.exe'
 78              - '\ipconfig.exe'
 79              - '\netstat.exe'
 80              - '\nslookup.exe'
 81              - '\pathping.exe'
 82              - '\quser.exe'
 83              - '\schtasks.exe'
 84              - '\systeminfo.exe'
 85              - '\tasklist.exe'
 86              - '\tracert.exe'
 87              - '\ver.exe'
 88              - '\wevtutil.exe'
 89              - '\whoami.exe'
 90        - OriginalFileName:
 91              - 'dsquery.exe'
 92              - 'find.exe'
 93              - 'findstr.exe'
 94              - 'ipconfig.exe'
 95              - 'netstat.exe'
 96              - 'nslookup.exe'
 97              - 'pathping.exe'
 98              - 'quser.exe'
 99              - 'schtasks.exe'
100              - 'sysinfo.exe'
101              - 'tasklist.exe'
102              - 'tracert.exe'
103              - 'ver.exe'
104              - 'VSSADMIN.EXE'
105              - 'wevtutil.exe'
106              - 'whoami.exe'
107    selection_susp_misc_discovery_commands:
108        CommandLine|contains:
109            - ' Test-NetConnection '
110            - 'dir \'  # remote dir: dir \<redacted IP #3>\C$:\windows\temp\*.exe
111    condition: 1 of selection_webserver_* and 1 of selection_susp_*
112falsepositives:
113    - Unknown
114level: high

References

Breaking Down the China Chopper Web Shell - Part II | Mandiant | Google Cloud Blog

Decoded traffic: varc=newSystem.Diagnostics.ProcessStartInfo(System.Text.Encoding.GetEncoding(65001). GetString(System.Convert.FromBase64String(Request.Item["z1"]))); vare=newSystem.Diagnostics.Pro...

Read More
xHunt Campaign: New BumbleBee Webshell and SSH Tunnels Used for Lateral Movement

The BumbleBee webshell is used by the xHunt Campaign to upload and download files to a compromised server and to move laterally on the network.

Read More
Cleo Software Actively Being Exploited in the Wild CVE-2024-50623 | Huntress

Huntress identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, known as CVE-2024-50623, commonly used to manage file transfers. Read more about this emerging threat on the Huntress Blog.

Read More

Webshell Detection With Command Line Keywords

Sigma rule (View on GitHub)

References

Breaking Down the China Chopper Web Shell - Part II | Mandiant | Google Cloud Blog

xHunt Campaign: New BumbleBee Webshell and SSH Tunnels Used for Lateral Movement

Cleo Software Actively Being Exploited in the Wild CVE-2024-50623 | Huntress

Related rules