rules/web/win_webshell_regeorg.yml

title: Webshell ReGeorg Detection Via Web Logs
id: 2ea44a60-cfda-11ea-87d0-0242ac130003
status: experimental
description: Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.
author: Cian Heasley
date: 2020/08/04
modified: 2021/11/23
references:
    - https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3
    - https://github.com/sensepost/reGeorg
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - 'cmd=read'
            - 'connect&target'
            - 'cmd=connect'
            - 'cmd=disconnect'
            - 'cmd=forward'
    filter:
        cs-referer: null
        cs-User-Agent: null
        cs-method: POST
    condition: selection and filter
fields:
    - cs-uri-query
    - cs-referer
    - cs-method
    - cs-User-Agent
falsepositives:
    - web applications that use the same URL parameters as ReGeorg
level: high
tags:
    - attack.persistence
    - attack.t1505.003
Add files via upload 2020-08-03 12:20:04 +01:00			`title: Webshell ReGeorg Detection Via Web Logs`
			`id: 2ea44a60-cfda-11ea-87d0-0242ac130003`
			`status: experimental`
			`description: Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.`
			`author: Cian Heasley`
Second round 2020-09-15 07:02:30 -06:00			`date: 2020/08/04`
$frack113$ fix field name 2021-11-23 18:47:42 +01:00			`modified: 2021/11/23`
fix reference field + add test for references in plural form 2020-11-27 10:17:45 +01:00			`references:`
Add files via upload 2020-08-03 12:20:04 +01:00			`- https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3`
			`- https://github.com/sensepost/reGeorg`
			`logsource:`
			`category: webserver`
			`detection:`
			`selection:`
$frack113$ fix field name 2021-11-23 18:47:42 +01:00			`cs-uri-query\|contains:`
Clean up: Webshell ReGeorg Detection 2021-04-05 13:01:10 -04:00			`- 'cmd=read'`
			`- 'connect&target'`
			`- 'cmd=connect'`
			`- 'cmd=disconnect'`
			`- 'cmd=forward'`
Add files via upload 2020-08-03 12:20:04 +01:00			`filter:`
fix: referrer > referer adjustments 2021-12-13 15:47:43 +01:00			`cs-referer: null`
$frack113$ fix field name 2021-11-23 18:47:42 +01:00			`cs-User-Agent: null`
			`cs-method: POST`
Add files via upload 2020-08-03 12:20:04 +01:00			`condition: selection and filter`
			`fields:`
$frack113$ fix field name 2021-11-23 18:47:42 +01:00			`- cs-uri-query`
fix: referrer > referer adjustments 2021-12-13 15:47:43 +01:00			`- cs-referer`
$frack113$ fix field name 2021-11-23 18:47:42 +01:00			`- cs-method`
			`- cs-User-Agent`
Add files via upload 2020-08-03 12:20:04 +01:00			`falsepositives:`
docs: add FP condition 2020-08-03 13:50:47 +02:00			`- web applications that use the same URL parameters as ReGeorg`
Add files via upload 2020-08-03 12:20:04 +01:00			`level: high`
Second round 2020-09-15 07:02:30 -06:00			`tags:`
			`- attack.persistence`
fix reference field + add test for references in plural form 2020-11-27 10:17:45 +01:00			`- attack.t1505.003`