From e89613aee0930cac0ac123dc5e881cb2032b96b2 Mon Sep 17 00:00:00 2001 From: ecco Date: Mon, 18 May 2020 07:19:06 -0400 Subject: [PATCH 1/3] add some false positives checks --- .../windows/sysmon/sysmon_webshell_creation_detect.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml index 2824f16f9..88af94d51 100644 --- a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml +++ b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml @@ -6,7 +6,7 @@ references: - PT ESC rule and personal experience author: Beyu Denis, oscd.community date: 2019/10/22 -modified: 2019/11/04 +modified: 2020/05/18 tags: - attack.persistence - attack.t1100 @@ -36,8 +36,10 @@ detection: - TargetFilename|contains|all: - '\cgi-bin\' - '.pl' - condition: selection_1 and ( selection_2 and selection_3 ) or - selection_1 and ( selection_4 and selection_5 ) or - selection_1 and selection_6 + false_positives: # false positives when unpacking some executables in $TEMP + TargetFilename|contains: + - '\AppData\Local\Temp\' + - '\Windows\Temp\' + condition: selection_1 and not false_positives and (( selection_2 and selection_3 ) or ( selection_4 and selection_5 ) or selection_6) falsepositives: - Legitimate administrator or developer creating legitimate executable files in a web application folder From 088800cd18f7e0be9c4c41df2b0baac0f0d93644 Mon Sep 17 00:00:00 2001 From: ecco Date: Mon, 18 May 2020 09:39:48 -0400 Subject: [PATCH 2/3] fix rule due to sigmac bug? --- rules/windows/sysmon/sysmon_webshell_creation_detect.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml index 88af94d51..ef9bdced5 100644 --- a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml +++ b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml @@ -40,6 +40,8 @@ detection: TargetFilename|contains: - '\AppData\Local\Temp\' - '\Windows\Temp\' - condition: selection_1 and not false_positives and (( selection_2 and selection_3 ) or ( selection_4 and selection_5 ) or selection_6) + # kind of ugly but sigmac seems not to handle double parenthesis "((" + # we shold prefer something like : selection_1 and not false_positives and ((selection_2 and selection_3) or (selection_4 and selection_5) or selection_6) + condition: (selection_1 and selection_2 and selection_3 and not false_positives) or (selection_1 and selection_4 and selection_5 and not false_positives) or (selection_1 and selection_6 and not false_positives) falsepositives: - Legitimate administrator or developer creating legitimate executable files in a web application folder From 1aa97fe577f4399f17df48fb39e588e5c7a703ab Mon Sep 17 00:00:00 2001 From: ecco Date: Mon, 18 May 2020 10:03:18 -0400 Subject: [PATCH 3/3] flake 8 --- rules/windows/sysmon/sysmon_webshell_creation_detect.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml index ef9bdced5..7f94a4259 100644 --- a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml +++ b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml @@ -42,6 +42,6 @@ detection: - '\Windows\Temp\' # kind of ugly but sigmac seems not to handle double parenthesis "((" # we shold prefer something like : selection_1 and not false_positives and ((selection_2 and selection_3) or (selection_4 and selection_5) or selection_6) - condition: (selection_1 and selection_2 and selection_3 and not false_positives) or (selection_1 and selection_4 and selection_5 and not false_positives) or (selection_1 and selection_6 and not false_positives) + condition: (selection_1 and selection_2 and selection_3 and not false_positives) or (selection_1 and selection_4 and selection_5 and not false_positives) or (selection_1 and selection_6 and not false_positives) falsepositives: - Legitimate administrator or developer creating legitimate executable files in a web application folder