2019-01-16 23:36:31 +01:00
|
|
|
title: Webshell Detection With Command Line Keywords
|
2019-11-12 23:12:27 +01:00
|
|
|
id: bed2a484-9348-4143-8a8a-b801c979301c
|
2019-01-16 23:36:31 +01:00
|
|
|
description: Detects certain command line parameters often used during reconnaissance activity via web shells
|
2021-03-02 22:48:55 +03:00
|
|
|
author: Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community
|
2021-11-19 22:32:26 +01:00
|
|
|
status: experimental
|
2021-03-02 23:34:34 +03:00
|
|
|
references:
|
2019-10-26 09:14:48 +02:00
|
|
|
- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
|
2021-01-11 19:44:07 +01:00
|
|
|
- https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
|
2019-10-26 09:14:48 +02:00
|
|
|
date: 2017/01/01
|
2022-03-17 18:24:15 +01:00
|
|
|
modified: 2021/03/17
|
2019-10-26 09:14:48 +02:00
|
|
|
tags:
|
|
|
|
|
- attack.persistence
|
2020-06-16 14:46:08 -06:00
|
|
|
- attack.t1505.003
|
2021-01-11 19:44:07 +01:00
|
|
|
- attack.t1018
|
2021-01-11 21:08:20 +01:00
|
|
|
- attack.t1033
|
2021-01-11 19:44:07 +01:00
|
|
|
- attack.t1087
|
2019-01-16 23:36:31 +01:00
|
|
|
logsource:
|
2019-03-02 00:14:20 +01:00
|
|
|
category: process_creation
|
|
|
|
|
product: windows
|
2019-01-16 23:36:31 +01:00
|
|
|
detection:
|
2022-03-17 18:24:15 +01:00
|
|
|
selection_webserver_image:
|
2022-03-21 12:33:55 +01:00
|
|
|
ParentImage|endswith:
|
2020-10-15 19:58:37 -03:00
|
|
|
- '\w3wp.exe'
|
|
|
|
|
- '\php-cgi.exe'
|
|
|
|
|
- '\nginx.exe'
|
|
|
|
|
- '\httpd.exe'
|
2022-03-17 18:24:15 +01:00
|
|
|
- '\caddy.exe'
|
|
|
|
|
- '\ws_tomcatservice.exe'
|
|
|
|
|
selection_webserver_characteristics_tomcat1:
|
|
|
|
|
ParentImage|endswith:
|
|
|
|
|
- '\java.exe'
|
|
|
|
|
- '\javaw.exe'
|
|
|
|
|
ParentImage|contains:
|
|
|
|
|
- '-tomcat-'
|
2020-11-28 13:35:50 -03:00
|
|
|
- '\tomcat'
|
2022-03-17 18:24:15 +01:00
|
|
|
selection_webserver_characteristics_tomcat2:
|
|
|
|
|
ParentImage|endswith:
|
|
|
|
|
- '\java.exe'
|
|
|
|
|
- '\javaw.exe'
|
|
|
|
|
CommandLine|contains:
|
|
|
|
|
- 'catalina.jar'
|
|
|
|
|
- 'CATALINA_HOME'
|
|
|
|
|
susp_net_utility:
|
2020-11-28 18:25:09 +01:00
|
|
|
Image|endswith:
|
|
|
|
|
- '\net.exe'
|
2021-03-02 22:48:55 +03:00
|
|
|
- '\net1.exe'
|
|
|
|
|
CommandLine|contains:
|
|
|
|
|
- ' user '
|
|
|
|
|
- ' use '
|
|
|
|
|
- ' group '
|
2022-03-17 18:24:15 +01:00
|
|
|
susp_ping_utility:
|
2020-11-28 18:25:09 +01:00
|
|
|
Image|endswith: '\ping.exe'
|
2021-03-02 22:48:55 +03:00
|
|
|
CommandLine|contains: ' -n '
|
2022-03-17 18:24:15 +01:00
|
|
|
susp_change_dir:
|
2021-03-02 22:48:55 +03:00
|
|
|
CommandLine|contains:
|
|
|
|
|
- '&cd&echo' # china chopper web shell
|
|
|
|
|
- 'cd /d ' # https://www.computerhope.com/cdhlp.htm
|
2022-03-17 18:24:15 +01:00
|
|
|
susp_wmic_utility:
|
2021-03-02 22:48:55 +03:00
|
|
|
Image|endswith: '\wmic.exe'
|
|
|
|
|
CommandLine|contains: ' /node:'
|
2022-03-17 18:24:15 +01:00
|
|
|
susp_misc_discovery_binaries:
|
2021-03-02 22:48:55 +03:00
|
|
|
Image|endswith:
|
|
|
|
|
- '\whoami.exe'
|
|
|
|
|
- '\systeminfo.exe'
|
|
|
|
|
- '\quser.exe'
|
|
|
|
|
- '\ipconfig.exe'
|
|
|
|
|
- '\pathping.exe'
|
|
|
|
|
- '\tracert.exe'
|
|
|
|
|
- '\netstat.exe'
|
|
|
|
|
- '\schtasks.exe'
|
|
|
|
|
- '\vssadmin.exe'
|
|
|
|
|
- '\wevtutil.exe'
|
|
|
|
|
- '\tasklist.exe'
|
2022-03-17 18:24:15 +01:00
|
|
|
susp_misc_discovery_commands:
|
2021-03-02 22:48:55 +03:00
|
|
|
CommandLine|contains:
|
|
|
|
|
- ' Test-NetConnection '
|
|
|
|
|
- 'dir \' # remote dir: dir \<redacted IP #3>\C$:\windows\temp\*.exe
|
2022-03-17 18:24:15 +01:00
|
|
|
condition: 1 of selection* and 1 of susp*
|
2019-01-16 23:36:31 +01:00
|
|
|
fields:
|
2019-03-02 00:14:20 +01:00
|
|
|
- CommandLine
|
|
|
|
|
- ParentCommandLine
|
2019-01-16 23:36:31 +01:00
|
|
|
falsepositives:
|
2022-03-16 13:43:54 +01:00
|
|
|
- Unknown
|
2019-01-16 23:36:31 +01:00
|
|
|
level: high
|
