From 2bd9d8a9d876288800cb6bd5bfa90af12331b1d8 Mon Sep 17 00:00:00 2001
From: root <sechost@yandex.ru>
Date: Tue, 22 Oct 2019 05:56:37 +0200
Subject: [PATCH] add rule sysmon_webshell_creation_detect.yml

---
 .../sysmon_webshell_creation_detect.yml       | 25 ++++++++++---------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml
index a609cec0d..72c24271d 100644
--- a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml
+++ b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml
@@ -17,18 +17,19 @@ detection:
         # Sysmon: File Creation (ID 11)
         EventID: 11
         #.NET webshells
-        TargetFilename: '*\inetpub\wwwroot\*.asp'
-        TargetFilename: '*\inetpub\wwwroot\*.aspx'
-        TargetFilename: '*\inetpub\wwwroot\*.ashx'
-        #php webshells
-        TargetFilename: '*\inetpub\wwwroot\*.ph*'
-        TargetFilename: '*\www\*.ph*'
-        TargetFilename: '*\htdocs\*.ph*'
-        TargetFilename: '*\html\*.ph*'
-        #apache tomcap webshell
-        TargetFilename: '*\*.jsp*'
-        #cgi-bin perl webshell
-        TargetFilename: '*\cgi-bin\*.pl'
+        TargetFilename: 
+            - '*\inetpub\wwwroot\*.asp'
+            - '*\inetpub\wwwroot\*.aspx'
+            - '*\inetpub\wwwroot\*.ashx'
+            #php webshells
+            - '*\inetpub\wwwroot\*.ph*'
+            - '*\www\*.ph*'
+            - '*\htdocs\*.ph*'
+            - '*\html\*.ph*'
+            #apache tomcap webshell
+            - '*\*.jsp*'
+            #cgi-bin perl webshell
+            - '*\cgi-bin\*.pl'
     condition: selection
 falsepositives:
     - Unknown