title: Webshell Detection With Command Line Keywords id: bed2a484-9348-4143-8a8a-b801c979301c description: Detects certain command line parameters often used during reconnaissance activity via web shells author: Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community status: experimental references: - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/ date: 2017/01/01 modified: 2021/03/17 tags: - attack.persistence - attack.t1505.003 - attack.t1018 - attack.t1033 - attack.t1087 logsource: category: process_creation product: windows detection: selection_webserver_image: ParentImage|endswith: - '\w3wp.exe' - '\php-cgi.exe' - '\nginx.exe' - '\httpd.exe' - '\caddy.exe' - '\ws_tomcatservice.exe' selection_webserver_characteristics_tomcat1: ParentImage|endswith: - '\java.exe' - '\javaw.exe' ParentImage|contains: - '-tomcat-' - '\tomcat' selection_webserver_characteristics_tomcat2: ParentImage|endswith: - '\java.exe' - '\javaw.exe' CommandLine|contains: - 'catalina.jar' - 'CATALINA_HOME' susp_net_utility: Image|endswith: - '\net.exe' - '\net1.exe' CommandLine|contains: - ' user ' - ' use ' - ' group ' susp_ping_utility: Image|endswith: '\ping.exe' CommandLine|contains: ' -n ' susp_change_dir: CommandLine|contains: - '&cd&echo' # china chopper web shell - 'cd /d ' # https://www.computerhope.com/cdhlp.htm susp_wmic_utility: Image|endswith: '\wmic.exe' CommandLine|contains: ' /node:' susp_misc_discovery_binaries: Image|endswith: - '\whoami.exe' - '\systeminfo.exe' - '\quser.exe' - '\ipconfig.exe' - '\pathping.exe' - '\tracert.exe' - '\netstat.exe' - '\schtasks.exe' - '\vssadmin.exe' - '\wevtutil.exe' - '\tasklist.exe' susp_misc_discovery_commands: CommandLine|contains: - ' Test-NetConnection ' - 'dir \' # remote dir: dir \\C$:\windows\temp\*.exe condition: 1 of selection* and 1 of susp* fields: - CommandLine - ParentCommandLine falsepositives: - Unknown level: high