security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add rule sysmon_webshell_creation_detect.yml

Browse Source
This commit is contained in:
root
2019-10-22 05:56:37 +02:00
parent fb53855ae5
commit 2bd9d8a9d8
1 changed files with 13 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/sysmon/sysmon_webshell_creation_detect.yml
+13 -12
View File
@@ -17,18 +17,19 @@ detection:
# Sysmon: File Creation (ID 11)
EventID: 11
#.NET webshells
TargetFilename: '*\inetpub\wwwroot\*.asp'
TargetFilename: '*\inetpub\wwwroot\*.aspx'
TargetFilename: '*\inetpub\wwwroot\*.ashx'
#php webshells
TargetFilename: '*\inetpub\wwwroot\*.ph*'
TargetFilename: '*\www\*.ph*'
TargetFilename: '*\htdocs\*.ph*'
TargetFilename: '*\html\*.ph*'
#apache tomcap webshell
TargetFilename: '*\*.jsp*'
#cgi-bin perl webshell
TargetFilename: '*\cgi-bin\*.pl'
TargetFilename:
- '*\inetpub\wwwroot\*.asp'
- '*\inetpub\wwwroot\*.aspx'
- '*\inetpub\wwwroot\*.ashx'
#php webshells
- '*\inetpub\wwwroot\*.ph*'
- '*\www\*.ph*'
- '*\htdocs\*.ph*'
- '*\html\*.ph*'
#apache tomcap webshell
- '*\*.jsp*'
#cgi-bin perl webshell
- '*\cgi-bin\*.pl'
condition: selection
falsepositives:
- Unknown