frack113
36 lines
1.0 KiB
YAML
36 lines
1.0 KiB
YAML
title: Chopper Webshell Process Pattern
|
|
id: fa3c117a-bc0d-416e-a31b-0c0e80653efb
|
|
status: experimental
|
|
description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
|
|
references:
|
|
- https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
|
|
author: Florian Roth (rule), MSTI (query)
|
|
date: 2022/10/01
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1505.003
|
|
- attack.t1018
|
|
- attack.t1033
|
|
- attack.t1087
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_origin:
|
|
- Image|endswith: '\w3wp.exe'
|
|
- ParentImage|endswith: '\w3wp.exe'
|
|
selection_cmdline:
|
|
CommandLine|contains:
|
|
- '&ipconfig&echo'
|
|
- '&quser&echo'
|
|
- '&whoami&echo'
|
|
- '&c:&echo'
|
|
- '&cd&echo'
|
|
- '&dir&echo'
|
|
- '&echo [E]'
|
|
- '&echo [S]'
|
|
condition: all of selection*
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|