title: Webshell ReGeorg Detection Via Web Logs
id: 2ea44a60-cfda-11ea-87d0-0242ac130003
status: experimental
description: Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.
author: Cian Heasley
date: 2020/08/04
modified: 2020/09/03
reference:
    - https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3
    - https://github.com/sensepost/reGeorg
logsource:
    category: webserver
detection:
    selection:
        uri_query|contains:
            - '*cmd=read*'
            - '*connect&target*'
            - '*cmd=connect*'
            - '*cmd=disconnect*'
            - '*cmd=forward*'
    filter:
        referer: null
        useragent: null
        method: POST
    condition: selection and filter
fields:
    - uri_query
    - referer
    - method
    - useragent
falsepositives:
    - web applications that use the same URL parameters as ReGeorg
level: high
tags:
    - attack.persistence
    - attack.t1100
    - attack.t1505.003