Merge pull request #3012 from svch0stz/patch-2

Update proc_creation_win_webshell_spawn.yml
2022-05-16 16:51:04 +02:00
parent 4ae8fa322d 3ec531979a
commit ed5963493c
1 changed files with 3 additions and 2 deletions
@@ -2,7 +2,7 @@ title: Shells Spawned by Web Servers
 id: 8202070f-edeb-4d31-a010-a26c72ac5600
 status: test
 description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
-author: Thomas Patzke, Florian Roth
+author: Thomas Patzke, Florian Roth, Zach Stanford @svch0st
 date: 2019/01/16
 modified: 2022/03/17
 tags:
@@ -34,9 +34,10 @@ detection:
      ParentImage|endswith: 
         - '\java.exe'
         - '\javaw.exe'
-      CommandLine|contains: 
+      ParentCommandLine|contains: 
         - 'catalina.jar'
         - 'CATALINA_HOME'
+         - 'catalina.home'
   anomaly_children:
      Image|endswith:
         - '\cmd.exe'