Webshell Tool Reconnaissance Activity
Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
Sigma rule (View on GitHub)
1title: Webshell Tool Reconnaissance Activity
2id: f64e5c19-879c-4bae-b471-6d84c8339677
3status: test
4description: |
5 Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
6references:
7 - https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html
8author: Cian Heasley, Florian Roth (Nextron Systems)
9date: 2020-07-22
10modified: 2023-11-09
11tags:
12 - attack.persistence
13 - attack.t1505.003
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_webserver_image:
19 ParentImage|endswith:
20 - '\caddy.exe'
21 - '\httpd.exe'
22 - '\nginx.exe'
23 - '\php-cgi.exe'
24 - '\w3wp.exe'
25 - '\ws_tomcatservice.exe'
26 selection_webserver_characteristics_tomcat1:
27 ParentImage|endswith:
28 - '\java.exe'
29 - '\javaw.exe'
30 ParentImage|contains:
31 - '-tomcat-'
32 - '\tomcat'
33 selection_webserver_characteristics_tomcat2:
34 ParentImage|endswith:
35 - '\java.exe'
36 - '\javaw.exe'
37 CommandLine|contains:
38 - 'CATALINA_HOME'
39 - 'catalina.jar'
40 selection_recon:
41 CommandLine|contains:
42 - 'perl --help'
43 - 'perl -h'
44 - 'python --help'
45 - 'python -h'
46 - 'python3 --help'
47 - 'python3 -h'
48 - 'wget --help'
49 condition: 1 of selection_webserver_* and selection_recon
50falsepositives:
51 - Unknown
52level: high
References
Related rules
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
- Certificate Request Export to Exchange Webserver
- DEWMODE Webshell Access
- Exchange Set OabVirtualDirectory ExternalUrl Property
- Linux Webshell Indicators