security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update web_win_webshells_in_access_logs.yml

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2022-10-26 23:18:08 +02:00
parent efe0cf5871
commit c2045d6a91
1 changed files with 47 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/web/web_win_webshells_in_access_logs.yml
+47 -17
View File
@@ -4,32 +4,62 @@ status: test
description: Detects Windows Webshells that use GET requests via access logs
references:
- https://bad-jubies.github.io/RCE-NOW-WHAT/
- https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Florian Roth, Nasreddine Bencherchali
date: 2017/02/19
modified: 2022/06/14
modified: 2022/10/26
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: webserver
detection:
select_method:
selection_method:
cs-method: 'GET'
keywords:
- =whoami
- =net%20user
- =cmd%20/c%20
- =powershell%20
- =tasklist%20
- =wmic%20
- =ssh%20 #available on windows
- =python%20
- =ipconfig
- =wget%20 #available on windows
- =curl%20 #available on windows
- =certutil
- =copy%20%5C%5C
condition: select_method and keywords
selection_keywords:
# The "%20" is URL encoded version of the space
# The "%2B" is URL encoded version of the "+"
- '=whoami'
- '=net%20user'
- '=net+user'
- '=net%2Buser'
- '=cmd%20/c%20'
- '=cmd+/c+'
- '=cmd%2B/c%2B'
- '=powershell%20'
- '=powershell%2B'
- '=powershell+'
- '=tasklist%20'
- '=tasklist%2B'
- '=tasklist+'
- '=wmic%20'
- '=wmic%2B'
- '=wmic+'
- '=ssh%20'
- '=ssh%2B'
- '=ssh+'
- '=python%20'
- '=python%2B'
- '=python+'
- '=python3%20'
- '=python3%2B'
- '=python3+'
- '=ipconfig'
- '=wget%20'
- '=wget%2B'
- '=wget+'
- '=curl%20'
- '=curl%2B'
- '=curl+'
- '=certutil'
- '=copy%20%5C%5C'
- '=dsquery%20'
- '=dsquery%2B'
- '=dsquery+'
- '=nltest%20'
- '=nltest%2B'
- '=nltest+'
condition: all of selection_*
fields:
- client_ip
- vhost