Nasreddine Bencherchali
68 lines
1.7 KiB
YAML
68 lines
1.7 KiB
YAML
title: Windows Webshell Strings
|
|
id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729
|
|
status: test
|
|
description: Detects Windows Webshells that use GET requests via access logs
|
|
references:
|
|
- https://bad-jubies.github.io/RCE-NOW-WHAT/
|
|
- https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
|
|
author: Florian Roth, Nasreddine Bencherchali
|
|
date: 2017/02/19
|
|
modified: 2022/11/18
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1505.003
|
|
logsource:
|
|
category: webserver
|
|
detection:
|
|
selection_method:
|
|
cs-method: 'GET'
|
|
selection_keywords:
|
|
# The "%20" is URL encoded version of the space
|
|
# The "%2B" is URL encoded version of the "+"
|
|
- '=whoami'
|
|
- '=net%20user'
|
|
- '=net+user'
|
|
- '=net%2Buser'
|
|
- '=cmd%20/c%'
|
|
- '=cmd+/c+'
|
|
- '=cmd%2B/c%'
|
|
- '=cmd%20/r%'
|
|
- '=cmd+/r+'
|
|
- '=cmd%2B/r%'
|
|
- '=cmd%20/k%'
|
|
- '=cmd+/k+'
|
|
- '=cmd%2B/k%'
|
|
- '=powershell%'
|
|
- '=powershell+'
|
|
- '=tasklist%'
|
|
- '=tasklist+'
|
|
- '=wmic%'
|
|
- '=wmic+'
|
|
- '=ssh%'
|
|
- '=ssh+'
|
|
- '=python%'
|
|
- '=python+'
|
|
- '=python3%'
|
|
- '=python3+'
|
|
- '=ipconfig'
|
|
- '=wget%'
|
|
- '=wget+'
|
|
- '=curl%'
|
|
- '=curl+'
|
|
- '=certutil'
|
|
- '=copy%20%5C%5C'
|
|
- '=dsquery%'
|
|
- '=dsquery+'
|
|
- '=nltest%'
|
|
- '=nltest+'
|
|
condition: all of selection_*
|
|
fields:
|
|
- client_ip
|
|
- vhost
|
|
- url
|
|
- response
|
|
falsepositives:
|
|
- Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
|
|
- User searches in search boxes of the respective website
|
|
level: high
|