Webshell Tool Reconnaissance Activity

 1title: Webshell Tool Reconnaissance Activity
 2id: f64e5c19-879c-4bae-b471-6d84c8339677
 3status: test
 4description: |
 5        Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
 6references:
 7    - https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html
 8author: Cian Heasley, Florian Roth (Nextron Systems)
 9date: 2020/07/22
10modified: 2023/11/09
11tags:
12    - attack.persistence
13    - attack.t1505.003
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_webserver_image:
19        ParentImage|endswith:
20            - '\caddy.exe'
21            - '\httpd.exe'
22            - '\nginx.exe'
23            - '\php-cgi.exe'
24            - '\w3wp.exe'
25            - '\ws_tomcatservice.exe'
26    selection_webserver_characteristics_tomcat1:
27        ParentImage|endswith:
28            - '\java.exe'
29            - '\javaw.exe'
30        ParentImage|contains:
31            - '-tomcat-'
32            - '\tomcat'
33    selection_webserver_characteristics_tomcat2:
34        ParentImage|endswith:
35            - '\java.exe'
36            - '\javaw.exe'
37        CommandLine|contains:
38            - 'CATALINA_HOME'
39            - 'catalina.jar'
40    selection_recon:
41        CommandLine|contains:
42            - 'perl --help'
43            - 'perl -h'
44            - 'python --help'
45            - 'python -h'
46            - 'python3 --help'
47            - 'python3 -h'
48            - 'wget --help'
49    condition: 1 of selection_webserver_* and selection_recon
50falsepositives:
51    - Unknown
52level: high