frack113
37 lines
1.1 KiB
YAML
37 lines
1.1 KiB
YAML
title: Webshell ReGeorg Detection Via Web Logs
|
|
id: 2ea44a60-cfda-11ea-87d0-0242ac130003
|
|
status: experimental
|
|
description: Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.
|
|
author: Cian Heasley
|
|
date: 2020/08/04
|
|
modified: 2021/11/23
|
|
references:
|
|
- https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3
|
|
- https://github.com/sensepost/reGeorg
|
|
logsource:
|
|
category: webserver
|
|
detection:
|
|
selection:
|
|
cs-uri-query|contains:
|
|
- 'cmd=read'
|
|
- 'connect&target'
|
|
- 'cmd=connect'
|
|
- 'cmd=disconnect'
|
|
- 'cmd=forward'
|
|
filter:
|
|
cs-referer: null
|
|
cs-User-Agent: null
|
|
cs-method: POST
|
|
condition: selection and filter
|
|
fields:
|
|
- cs-uri-query
|
|
- cs-referer
|
|
- cs-method
|
|
- cs-User-Agent
|
|
falsepositives:
|
|
- web applications that use the same URL parameters as ReGeorg
|
|
level: high
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1505.003
|