Update win_webshell_recon_detection.yml
This commit is contained in:
Jonhnathan
@@ -17,19 +17,19 @@ logsource:
|
||||
detection:
|
||||
selection:
|
||||
ParentImage|contains:
|
||||
- '*\apache*'
|
||||
- '*\tomcat*'
|
||||
- '*\w3wp.exe'
|
||||
- '*\php-cgi.exe'
|
||||
- '*\nginx.exe'
|
||||
- '*\httpd.exe'
|
||||
- '\apache'
|
||||
- '\tomcat'
|
||||
- '\w3wp.exe'
|
||||
- '\php-cgi.exe'
|
||||
- '\nginx.exe'
|
||||
- '\httpd.exe'
|
||||
Image|endswith:
|
||||
- '*\cmd.exe'
|
||||
- '\cmd.exe'
|
||||
CommandLine|contains:
|
||||
- '*perl --help*'
|
||||
- '*python --help*'
|
||||
- '*wget --help*'
|
||||
- '*perl -h*'
|
||||
- 'perl --help'
|
||||
- 'python --help'
|
||||
- 'wget --help'
|
||||
- 'perl -h'
|
||||
condition: selection
|
||||
fields:
|
||||
- Image
|
||||
|
||||
Reference in New Issue
Block a user