rules/windows/file_event/sysmon_webshell_creation_detect.yml

title: Windows Webshell Creation
id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
status: experimental
description: Possible webshell file creation on a static web site
references:
    - PT ESC rule and personal experience
author: Beyu Denis, oscd.community
date: 2019/10/22
modified: 2020/08/23
tags:
    - attack.persistence
    - attack.t1100          # an old one
    - attack.t1505.003
level: critical
logsource:
    product: windows
    category: file_event
detection:
    selection_2:
        TargetFilename|contains: '\inetpub\wwwroot\'
    selection_3:
        TargetFilename|contains:
            - '.asp'
            - '.ashx'
            - '.ph'
    selection_4:
        TargetFilename|contains:
            - '\www\'
            - '\htdocs\'
            - '\html\'
    selection_5:
        TargetFilename|contains: '.ph'
    selection_6:
        - TargetFilename|endswith: '.jsp'
        - TargetFilename|contains|all:
            - '\cgi-bin\'
            - '.pl'
    false_positives:  # false positives when unpacking some executables in $TEMP
        TargetFilename|contains:
            - '\AppData\Local\Temp\'
            - '\Windows\Temp\'
    # kind of ugly but sigmac seems not to handle double parenthesis "(("
    # we shold prefer something like : selection_1 and not false_positives and ((selection_2 and selection_3) or (selection_4 and selection_5) or selection_6)
    condition: (selection_2 and selection_3 and not false_positives) or (selection_4 and selection_5 and not false_positives) or (selection_6 and not false_positives)
falsepositives:
    - Legitimate administrator or developer creating legitimate executable files in a web application folder
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`title: Windows Webshell Creation`
			`id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9`
			`status: experimental`
			`description: Possible webshell file creation on a static web site`
			`references:`
			`- PT ESC rule and personal experience`
			`author: Beyu Denis, oscd.community`
			`date: 2019/10/22`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-25 01:09:17 +02:00			`modified: 2020/08/23`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`tags:`
			`- attack.persistence`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-25 01:09:17 +02:00			`- attack.t1100 # an old one`
			`- attack.t1505.003`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`level: critical`
			`logsource:`
			`product: windows`
Changed category names and remove sysmon log source 2020-06-24 17:41:21 +02:00			`category: file_event`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`detection:`
			`selection_2:`
			`TargetFilename\|contains: '\inetpub\wwwroot\'`
			`selection_3:`
			`TargetFilename\|contains:`
			`- '.asp'`
			`- '.ashx'`
			`- '.ph'`
			`selection_4:`
			`TargetFilename\|contains:`
			`- '\www\'`
			`- '\htdocs\'`
			`- '\html\'`
			`selection_5:`
			`TargetFilename\|contains: '.ph'`
			`selection_6:`
			`- TargetFilename\|endswith: '.jsp'`
			`- TargetFilename\|contains\|all:`
			`- '\cgi-bin\'`
			`- '.pl'`
			`false_positives: # false positives when unpacking some executables in $TEMP`
			`TargetFilename\|contains:`
			`- '\AppData\Local\Temp\'`
			`- '\Windows\Temp\'`
			`# kind of ugly but sigmac seems not to handle double parenthesis "(("`
			`# we shold prefer something like : selection_1 and not false_positives and ((selection_2 and selection_3) or (selection_4 and selection_5) or selection_6)`
			`condition: (selection_2 and selection_3 and not false_positives) or (selection_4 and selection_5 and not false_positives) or (selection_6 and not false_positives)`
			`falsepositives:`
			`- Legitimate administrator or developer creating legitimate executable files in a web application folder`