Modifications

+ Added Sysmon detection of Office binaries spawning Windows shells
+ Additional web servers added for webshell detection

rules/windows/sysmon/sysmon_office_shell.yml

@@ -0,0 +1,28 @@
+title: Microsoft Office Product Spawning Windows  Shell
+status: experimental
+description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.
+reference: https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
+author: Michael Haag
+logsource:
+    product: sysmon
+detection:
+    selection:
+        EventID: 1
+        ParentImage:
+            - '*\WINWORD.EXE'
+            - '*\EXCEL.EXE'
+            - '*\POWERPNT.exe'
+            - '*\MSPUB.exe'
+            - '*\VISIO.exe'
+        Image:
+            - '*\cmd.exe'
+            - '*\powershell.exe'
+            - '*\wscript.exe'
+            - '*\cscript.exe'
+            - '*\sh.exe'
+            - '*\bash.exe'
+            - '*\scrcons.exe'
+    condition: selection
+falsepositives:
+    - unknown
+level: high

rules/windows/sysmon/sysmon_webshell_detection.yml

@@ -1,4 +1,4 @@
-title: Webshell Detection With Command Line Keywords 
+title: Webshell Detection With Command Line Keywords
 description: Detects certain command line parameters often used during reconnissaince activity via web shells
 author: Florian Roth
 logsource:
@@ -9,12 +9,16 @@ detection:
         ParentImage:
           - '*\apache*'
           - '*\tomcat*'
-        CommandLine: 
+          - '*\w3wp.exe'
+          - '*\php-cgi.exe'
+          - '*\nginx.exe'
+          - '*\httpd.exe'
+        CommandLine:
           - 'whoami'
           - 'net user'
           - 'ping -n'
+          - 'systeminfo'
     condition: selection
 falsepositives:
     - unknown
 level: high
-

rules/windows/sysmon/sysmon_webshell_spawn.yml

@@ -11,10 +11,12 @@ detection:
             - '*\w3wp.exe'
             - '*\httpd.exe'
             - '*\nginx.exe'
+            - '*\php-cgi.exe'
         Image:
             - '*\cmd.exe'
             - '*\sh.exe'
             - '*\bash.exe'
+            - '*\powershell.exe'
     condition: selection
 falsepositives:
     - Particular web applications may spawn a shell process legitimately