rules/windows/process_creation/proc_creation_win_webshell_hacking.yml

title: Webshell Hacking Activity Patterns
id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9
status: test
description: |
    Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
references:
    - https://youtu.be/7aemGhaE9ds?t=641
author: Florian Roth (Nextron Systems)
date: 2022-03-17
modified: 2023-11-09
tags:
    - attack.persistence
    - attack.discovery
    - attack.t1505.003
    - attack.t1018
    - attack.t1033
    - attack.t1087
logsource:
    category: process_creation
    product: windows
detection:
   # Webserver
    selection_webserver_image:
        ParentImage|endswith:
            - '\caddy.exe'
            - '\httpd.exe'
            - '\nginx.exe'
            - '\php-cgi.exe'
            - '\w3wp.exe'
            - '\ws_tomcatservice.exe'
    selection_webserver_characteristics_tomcat1:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        ParentImage|contains:
            - '-tomcat-'
            - '\tomcat'
    selection_webserver_characteristics_tomcat2:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        CommandLine|contains:
            - 'catalina.jar'
            - 'CATALINA_HOME'
    # Suspicious child processes
    selection_child_1:
        # Process dumping
        CommandLine|contains|all:
            - 'rundll32'
            - 'comsvcs'
    selection_child_2:
        # Winrar exfil
        CommandLine|contains|all:
            - ' -hp'
            - ' a '
            - ' -m'
    selection_child_3:
        # User add
        CommandLine|contains|all:
            - 'net'
            - ' user '
            - ' /add'
    selection_child_4:
        CommandLine|contains|all:
            - 'net'
            - ' localgroup '
            - ' administrators '
            - '/add'
    selection_child_5:
        Image|endswith:
            # Credential stealing
            - '\ntdsutil.exe'
            # AD recon
            - '\ldifde.exe'
            - '\adfind.exe'
            # Process dumping
            - '\procdump.exe'
            - '\Nanodump.exe'
            # Destruction / ransom groups
            - '\vssadmin.exe'
            - '\fsutil.exe'
    selection_child_6:
        # SUspicious patterns
        CommandLine|contains:
            - ' -decode '  # Used with certutil
            - ' -NoP '  # Often used in malicious PowerShell commands
            - ' -W Hidden '  # Often used in malicious PowerShell commands
            - ' /decode '  # Used with certutil
            - ' /ticket:'  # Rubeus
            - ' sekurlsa'  # Mimikatz
            - '.dmp full'  # Process dumping method apart from procdump
            - '.downloadfile('  # PowerShell download command
            - '.downloadstring('  # PowerShell download command
            - 'FromBase64String' # PowerShell encoded payload
            - 'process call create' # WMIC process creation
            - 'reg save '  # save registry SAM - syskey extraction
            - 'whoami /priv'
    condition: 1 of selection_webserver_* and 1 of selection_child_*
falsepositives:
    - Unlikely
level: high
rule: new webshell detection rule 2022-03-17 18:31:11 +01:00			`title: Webshell Hacking Activity Patterns`
			`id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9`
$frack113$ Merge PR #4479 From @frack113 - Upgrade Rules Status 2023-10-17 14:35:26 +02:00			`status: test`
Merge PR #4555 from @nasbench - New ET Rules Related To Lace Tempest / SysAid CVE-2023-47246 Exploitation 2023-11-10 12:00:08 +01:00			`description: \|`
			`Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system`
rule: new webshell detection rule 2022-03-17 18:31:11 +01:00			`references:`
Add more comsvcs variations 2022-08-04 16:18:51 +01:00			`- https://youtu.be/7aemGhaE9ds?t=641`
chore: add nextron authors tag 2023-02-01 11:14:59 +01:00			`author: Florian Roth (Nextron Systems)`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2022-03-17`
			`modified: 2023-11-09`
rule: new webshell detection rule 2022-03-17 18:31:11 +01:00			`tags:`
Add more comsvcs variations 2022-08-04 16:18:51 +01:00			`- attack.persistence`
Merge PR #5381 from @david-syk - Update MITRE ATT&CK tags 2025-04-25 20:55:51 +02:00			`- attack.discovery`
Add more comsvcs variations 2022-08-04 16:18:51 +01:00			`- attack.t1505.003`
			`- attack.t1018`
			`- attack.t1033`
			`- attack.t1087`
rule: new webshell detection rule 2022-03-17 18:31:11 +01:00			`logsource:`
Add more comsvcs variations 2022-08-04 16:18:51 +01:00			`category: process_creation`
			`product: windows`
rule: new webshell detection rule 2022-03-17 18:31:11 +01:00			`detection:`
			`# Webserver`
Add more comsvcs variations 2022-08-04 16:18:51 +01:00			`selection_webserver_image:`
			`ParentImage\|endswith:`
			`- '\caddy.exe'`
Merge PR #4555 from @nasbench - New ET Rules Related To Lace Tempest / SysAid CVE-2023-47246 Exploitation 2023-11-10 12:00:08 +01:00			`- '\httpd.exe'`
			`- '\nginx.exe'`
			`- '\php-cgi.exe'`
			`- '\w3wp.exe'`
Add more comsvcs variations 2022-08-04 16:18:51 +01:00			`- '\ws_tomcatservice.exe'`
			`selection_webserver_characteristics_tomcat1:`
			`ParentImage\|endswith:`
			`- '\java.exe'`
			`- '\javaw.exe'`
			`ParentImage\|contains:`
			`- '-tomcat-'`
			`- '\tomcat'`
			`selection_webserver_characteristics_tomcat2:`
			`ParentImage\|endswith:`
			`- '\java.exe'`
			`- '\javaw.exe'`
			`CommandLine\|contains:`
			`- 'catalina.jar'`
			`- 'CATALINA_HOME'`
			`# Suspicious child processes`
			`selection_child_1:`
			`# Process dumping`
			`CommandLine\|contains\|all:`
			`- 'rundll32'`
			`- 'comsvcs'`
			`selection_child_2:`
			`# Winrar exfil`
			`CommandLine\|contains\|all:`
			`- ' -hp'`
			`- ' a '`
			`- ' -m'`
			`selection_child_3:`
			`# User add`
			`CommandLine\|contains\|all:`
			`- 'net'`
			`- ' user '`
			`- ' /add'`
			`selection_child_4:`
			`CommandLine\|contains\|all:`
			`- 'net'`
			`- ' localgroup '`
			`- ' administrators '`
			`- '/add'`
			`selection_child_5:`
			`Image\|endswith:`
			`# Credential stealing`
			`- '\ntdsutil.exe'`
			`# AD recon`
			`- '\ldifde.exe'`
			`- '\adfind.exe'`
			`# Process dumping`
			`- '\procdump.exe'`
			`- '\Nanodump.exe'`
			`# Destruction / ransom groups`
			`- '\vssadmin.exe'`
			`- '\fsutil.exe'`
			`selection_child_6:`
			`# SUspicious patterns`
			`CommandLine\|contains:`
Merge PR #4555 from @nasbench - New ET Rules Related To Lace Tempest / SysAid CVE-2023-47246 Exploitation 2023-11-10 12:00:08 +01:00			`- ' -decode ' # Used with certutil`
Add more comsvcs variations 2022-08-04 16:18:51 +01:00			`- ' -NoP ' # Often used in malicious PowerShell commands`
			`- ' -W Hidden ' # Often used in malicious PowerShell commands`
			`- ' /decode ' # Used with certutil`
			`- ' /ticket:' # Rubeus`
			`- ' sekurlsa' # Mimikatz`
			`- '.dmp full' # Process dumping method apart from procdump`
Merge PR #4555 from @nasbench - New ET Rules Related To Lace Tempest / SysAid CVE-2023-47246 Exploitation 2023-11-10 12:00:08 +01:00			`- '.downloadfile(' # PowerShell download command`
			`- '.downloadstring(' # PowerShell download command`
			`- 'FromBase64String' # PowerShell encoded payload`
Add more comsvcs variations 2022-08-04 16:18:51 +01:00			`- 'process call create' # WMIC process creation`
Merge PR #4555 from @nasbench - New ET Rules Related To Lace Tempest / SysAid CVE-2023-47246 Exploitation 2023-11-10 12:00:08 +01:00			`- 'reg save ' # save registry SAM - syskey extraction`
Add more comsvcs variations 2022-08-04 16:18:51 +01:00			`- 'whoami /priv'`
Merge PR #4555 from @nasbench - New ET Rules Related To Lace Tempest / SysAid CVE-2023-47246 Exploitation 2023-11-10 12:00:08 +01:00			`condition: 1 of selection_webserver_* and 1 of selection_child_*`
rule: new webshell detection rule 2022-03-17 18:31:11 +01:00			`falsepositives:`
Add more comsvcs variations 2022-08-04 16:18:51 +01:00			`- Unlikely`
rule: new webshell detection rule 2022-03-17 18:31:11 +01:00			`level: high`