diff --git a/rules/web/web_win_webshells_in_access_logs.yml b/rules/web/web_win_webshells_in_access_logs.yml index 64a04a2fd..6cbcb2963 100644 --- a/rules/web/web_win_webshells_in_access_logs.yml +++ b/rules/web/web_win_webshells_in_access_logs.yml @@ -4,32 +4,62 @@ status: test description: Detects Windows Webshells that use GET requests via access logs references: - https://bad-jubies.github.io/RCE-NOW-WHAT/ + - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ author: Florian Roth, Nasreddine Bencherchali date: 2017/02/19 -modified: 2022/06/14 +modified: 2022/10/26 tags: - attack.persistence - attack.t1505.003 logsource: category: webserver detection: - select_method: + selection_method: cs-method: 'GET' - keywords: - - =whoami - - =net%20user - - =cmd%20/c%20 - - =powershell%20 - - =tasklist%20 - - =wmic%20 - - =ssh%20 #available on windows - - =python%20 - - =ipconfig - - =wget%20 #available on windows - - =curl%20 #available on windows - - =certutil - - =copy%20%5C%5C - condition: select_method and keywords + selection_keywords: + # The "%20" is URL encoded version of the space + # The "%2B" is URL encoded version of the "+" + - '=whoami' + - '=net%20user' + - '=net+user' + - '=net%2Buser' + - '=cmd%20/c%20' + - '=cmd+/c+' + - '=cmd%2B/c%2B' + - '=powershell%20' + - '=powershell%2B' + - '=powershell+' + - '=tasklist%20' + - '=tasklist%2B' + - '=tasklist+' + - '=wmic%20' + - '=wmic%2B' + - '=wmic+' + - '=ssh%20' + - '=ssh%2B' + - '=ssh+' + - '=python%20' + - '=python%2B' + - '=python+' + - '=python3%20' + - '=python3%2B' + - '=python3+' + - '=ipconfig' + - '=wget%20' + - '=wget%2B' + - '=wget+' + - '=curl%20' + - '=curl%2B' + - '=curl+' + - '=certutil' + - '=copy%20%5C%5C' + - '=dsquery%20' + - '=dsquery%2B' + - '=dsquery+' + - '=nltest%20' + - '=nltest%2B' + - '=nltest+' + condition: all of selection_* fields: - client_ip - vhost