2017-02-10 19:17:02 +01:00
|
|
|
title: Webshell Detection by Keyword
|
2019-11-12 23:12:27 +01:00
|
|
|
id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729
|
2021-11-27 11:33:14 +01:00
|
|
|
status: test
|
2018-09-06 20:20:11 -05:00
|
|
|
description: Detects webshells that use GET requests by keyword searches in URL strings
|
2017-02-19 00:31:59 +01:00
|
|
|
author: Florian Roth
|
2020-01-30 15:32:39 +01:00
|
|
|
date: 2017/02/19
|
2021-11-27 11:33:14 +01:00
|
|
|
modified: 2021/11/27
|
2017-02-19 00:31:59 +01:00
|
|
|
logsource:
|
2021-11-27 11:33:14 +01:00
|
|
|
category: webserver
|
2017-02-10 19:17:02 +01:00
|
|
|
detection:
|
2021-11-27 11:33:14 +01:00
|
|
|
keywords:
|
|
|
|
|
- =whoami
|
|
|
|
|
- =net%20user
|
|
|
|
|
- =cmd%20/c%20
|
|
|
|
|
condition: keywords
|
2017-09-12 23:54:04 +02:00
|
|
|
fields:
|
2021-11-27 11:33:14 +01:00
|
|
|
- client_ip
|
|
|
|
|
- vhost
|
|
|
|
|
- url
|
|
|
|
|
- response
|
2017-02-10 19:17:02 +01:00
|
|
|
falsepositives:
|
2021-11-27 11:33:14 +01:00
|
|
|
- Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
|
|
|
|
|
- User searches in search boxes of the respective website
|
2017-02-16 18:02:26 +01:00
|
|
|
level: high
|
2020-09-15 07:02:30 -06:00
|
|
|
tags:
|
2021-11-27 11:33:14 +01:00
|
|
|
- attack.persistence
|
|
|
|
|
- attack.t1505.003
|
