rules/web/win_webshell_regeorg.yml

title: Webshell ReGeorg Detection Via Web Logs
id: 2ea44a60-cfda-11ea-87d0-0242ac130003
status: experimental
description: Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.
author: Cian Heasley
date: 2020/08/04
modified: 2020/09/03
reference:
    - https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3
    - https://github.com/sensepost/reGeorg
logsource:
    category: webserver
detection:
    selection:
        uri_query|contains:
            - '*cmd=read*'
            - '*connect&target*'
            - '*cmd=connect*'
            - '*cmd=disconnect*'
            - '*cmd=forward*'
    filter:
        referer: null
        useragent: null
        method: POST
    condition: selection and filter
fields:
    - uri_query
    - referer
    - method
    - useragent
falsepositives:
    - web applications that use the same URL parameters as ReGeorg
level: high
tags:
    - attack.persistence
    - attack.t1100
    - attack.t1505.003
Add files via upload 2020-08-03 12:20:04 +01:00			`title: Webshell ReGeorg Detection Via Web Logs`
			`id: 2ea44a60-cfda-11ea-87d0-0242ac130003`
			`status: experimental`
			`description: Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.`
			`author: Cian Heasley`
Second round 2020-09-15 07:02:30 -06:00			`date: 2020/08/04`
			`modified: 2020/09/03`
Add files via upload 2020-08-03 12:20:04 +01:00			`reference:`
			`- https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3`
			`- https://github.com/sensepost/reGeorg`
			`logsource:`
			`category: webserver`
			`detection:`
			`selection:`
			`uri_query\|contains:`
			`- 'cmd=read'`
			`- 'connect&target'`
			`- 'cmd=connect'`
			`- 'cmd=disconnect'`
			`- 'cmd=forward'`
			`filter:`
			`referer: null`
			`useragent: null`
			`method: POST`
			`condition: selection and filter`
			`fields:`
			`- uri_query`
			`- referer`
			`- method`
			`- useragent`
			`falsepositives:`
docs: add FP condition 2020-08-03 13:50:47 +02:00			`- web applications that use the same URL parameters as ReGeorg`
Add files via upload 2020-08-03 12:20:04 +01:00			`level: high`
Second round 2020-09-15 07:02:30 -06:00			`tags:`
			`- attack.persistence`
			`- attack.t1100`
			`- attack.t1505.003`