root
37 lines
958 B
YAML
37 lines
958 B
YAML
title: Windows webshell creation
|
|
status: experimental
|
|
description: Posible webshell file creation on a static web site
|
|
references:
|
|
- PT ESC rule and personal experience
|
|
author: Beyu Denis, oscd.community
|
|
date: 2019/10/22
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1100
|
|
level: critical
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
detection:
|
|
selection:
|
|
# Sysmon: File Creation (ID 11)
|
|
EventID: 11
|
|
#.NET webshells
|
|
TargetFilename:
|
|
- '*\inetpub\wwwroot\*.asp'
|
|
- '*\inetpub\wwwroot\*.aspx'
|
|
- '*\inetpub\wwwroot\*.ashx'
|
|
#php webshells
|
|
- '*\inetpub\wwwroot\*.ph*'
|
|
- '*\www\*.ph*'
|
|
- '*\htdocs\*.ph*'
|
|
- '*\html\*.ph*'
|
|
#apache tomcap webshell
|
|
- '*\*.jsp*'
|
|
#cgi-bin perl webshell
|
|
- '*\cgi-bin\*.pl'
|
|
condition: selection
|
|
falsepositives:
|
|
- Unknown
|
|
- Admin activity
|