From 3ec531979a8a2b15e4d6181e7c49fadd4d52bd22 Mon Sep 17 00:00:00 2001
From: svch0stz <8684257+svch0stz@users.noreply.github.com>
Date: Sun, 15 May 2022 14:57:21 +1000
Subject: [PATCH] Update proc_creation_win_webshell_spawn.yml

Example pulled from manage engine below:

Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentImage: C:\Program Files\ManageEngine\SupportCenterPlus\jre\bin\java.exe
ParentCommandline: "..\jre\bin\java" -Dcatalina.home=.. -Dserver.home=.. -Dserver.stats=1000  <snip>
---
 .../process_creation/proc_creation_win_webshell_spawn.yml    | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml b/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml
index 9b14e3686..3f89a2ea0 100644
--- a/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml
+++ b/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml
@@ -2,7 +2,7 @@ title: Shells Spawned by Web Servers
 id: 8202070f-edeb-4d31-a010-a26c72ac5600
 status: test
 description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
-author: Thomas Patzke, Florian Roth
+author: Thomas Patzke, Florian Roth, Zach Stanford @svch0st
 date: 2019/01/16
 modified: 2022/03/17
 tags:
@@ -34,9 +34,10 @@ detection:
       ParentImage|endswith: 
          - '\java.exe'
          - '\javaw.exe'
-      CommandLine|contains: 
+      ParentCommandLine|contains: 
          - 'catalina.jar'
          - 'CATALINA_HOME'
+         - 'catalina.home'
    anomaly_children:
       Image|endswith:
          - '\cmd.exe'