Nasreddine Bencherchali
42 lines
1.1 KiB
YAML
42 lines
1.1 KiB
YAML
title: Windows Webshell Strings
|
|
id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729
|
|
status: test
|
|
description: Detects Windows Webshells that use GET requests via access logs
|
|
author: Florian Roth, Nasreddine Bencherchali
|
|
date: 2017/02/19
|
|
modified: 2022/06/14
|
|
references:
|
|
- https://bad-jubies.github.io/RCE-NOW-WHAT/
|
|
logsource:
|
|
category: webserver
|
|
detection:
|
|
select_method:
|
|
cs-method: 'GET'
|
|
keywords:
|
|
- =whoami
|
|
- =net%20user
|
|
- =cmd%20/c%20
|
|
- =powershell%20
|
|
- =tasklist%20
|
|
- =wmic%20
|
|
- =ssh%20 #available on windows
|
|
- =python%20
|
|
- =ipconfig
|
|
- =wget%20 #available on windows
|
|
- =curl%20 #available on windows
|
|
- =certutil
|
|
- =copy%20%5C%5C
|
|
condition: select_method and keywords
|
|
fields:
|
|
- client_ip
|
|
- vhost
|
|
- url
|
|
- response
|
|
falsepositives:
|
|
- Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
|
|
- User searches in search boxes of the respective website
|
|
level: high
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1505.003
|