security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/application/antivirus/av_webshell.yml
T

75 lines
2.8 KiB
YAML
Raw Normal View History

Rule: AV alerts - webshells
2018-09-09 11:04:11 +02:00
title: Antivirus Web Shell Detection
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
id: fdf135a2-9241-4f96-a114-bb404948f736
Update av_webshell.yml
2021-05-08 08:49:17 +02:00
description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.
Missing status in rules (#2284)
2021-11-19 22:32:26 +01:00
status: experimental
Rule: AV alerts - webshells
2018-09-09 11:04:11 +02:00
date: 2018/09/09
Update av_webshell.yml
2021-05-08 08:49:17 +02:00
modified: 2021/05/08
more AV event and suspicious commands
2021-01-07 17:54:19 +01:00
author: Florian Roth, Arnim Rupp
Rule: AV alerts - webshells
2018-09-09 11:04:11 +02:00
references:
Update av_webshell.yml
2021-05-08 08:49:17 +02:00
- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
- https://github.com/tennc/webshell
more AV event and suspicious commands
2021-01-07 17:54:19 +01:00
- https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
- https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
- https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
Update av_webshell.yml
2021-05-08 08:49:17 +02:00
- https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
- https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
- https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
- https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
Rule: AV alerts - webshells
2018-09-09 11:04:11 +02:00
tags:
ATT&CK tagging QA
2018-09-20 12:44:44 +02:00
- attack.persistence
Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00
- attack.t1505.003
Rule: AV alerts - webshells
2018-09-09 11:04:11 +02:00
logsource:
product: antivirus
detection:
selection:
Update av_webshell.yml
2020-10-27 22:35:45 -03:00
- Signature|startswith:
Change double quote to quote
2022-01-06 14:02:35 +01:00
- 'PHP/'
- 'JSP/'
- 'ASP/'
- 'Perl/'
- 'PHP.'
- 'JSP.'
- 'ASP.'
- 'Perl.'
- 'VBS/Uxor' # looking for 'VBS/' would also find downloaders and droppers meant for desktops
- 'IIS/BackDoor'
- 'JAVA/Backdoor'
- 'Troj/ASP'
- 'Troj/PHP'
- 'Troj/JSP'
Update av_webshell.yml
2020-10-27 22:35:45 -03:00
- Signature|contains:
Change double quote to quote
2022-01-06 14:02:35 +01:00
- 'Webshell'
- 'Chopper'
- 'SinoChoper'
- 'ASPXSpy'
- 'Aspdoor'
- 'filebrowser'
- 'PHP_'
- 'JSP_'
- 'ASP_' # looking for 'VBS_' would also find downloaders and droppers meant for desktops
- 'PHP:'
- 'JSP:'
- 'ASP:'
- 'Perl:'
- 'PHPShell'
- 'Trojan.PHP'
- 'Trojan.ASP'
- 'Trojan.JSP'
- 'Trojan.VBS'
- 'PHP?Agent'
- 'ASP?Agent'
- 'JSP?Agent'
- 'VBS?Agent'
- 'Backdoor?PHP'
- 'Backdoor?JSP'
- 'Backdoor?ASP'
- 'Backdoor?VBS'
- 'Backdoor?Java'
Rule: AV alerts - webshells
2018-09-09 11:04:11 +02:00
condition: selection
fields:
- FileName
- User
falsepositives:
- Unlikely
level: critical
Reference in New Issue Copy Permalink