Hub configuration

More info

1type: trigger

2name: sigmahq/proc_creation_win_webshell_hacking

3description: |

4 Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system

5filter: |

6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.ParentImage endsWith '\\caddy.exe' || evt.Parsed.ParentImage endsWith '\\httpd.exe' || evt.Parsed.ParentImage endsWith '\\nginx.exe' || evt.Parsed.ParentImage endsWith '\\php-cgi.exe' || evt.Parsed.ParentImage endsWith '\\w3wp.exe' || evt.Parsed.ParentImage endsWith '\\ws_tomcatservice.exe' || (evt.Parsed.ParentImage endsWith '\\java.exe' || evt.Parsed.ParentImage endsWith '\\javaw.exe') && (evt.Parsed.ParentImage contains '-tomcat-' || evt.Parsed.ParentImage contains '\\tomcat') || (evt.Parsed.ParentImage endsWith '\\java.exe' || evt.Parsed.ParentImage endsWith '\\javaw.exe') && (evt.Parsed.CommandLine contains 'catalina.jar' || evt.Parsed.CommandLine contains 'CATALINA_HOME')) && (evt.Parsed.CommandLine contains 'rundll32' && evt.Parsed.CommandLine contains 'comsvcs' || evt.Parsed.CommandLine contains ' -hp' && evt.Parsed.CommandLine contains ' a ' && evt.Parsed.CommandLine contains ' -m' || evt.Parsed.CommandLine contains 'net' && evt.Parsed.CommandLine contains ' user ' && evt.Parsed.CommandLine contains ' /add' || evt.Parsed.CommandLine contains 'net' && evt.Parsed.CommandLine contains ' localgroup ' && evt.Parsed.CommandLine contains ' administrators ' && evt.Parsed.CommandLine contains '/add' || evt.Parsed.Image endsWith '\\ntdsutil.exe' || evt.Parsed.Image endsWith '\\ldifde.exe' || evt.Parsed.Image endsWith '\\adfind.exe' || evt.Parsed.Image endsWith '\\procdump.exe' || evt.Parsed.Image endsWith '\\Nanodump.exe' || evt.Parsed.Image endsWith '\\vssadmin.exe' || evt.Parsed.Image endsWith '\\fsutil.exe' || evt.Parsed.CommandLine contains ' -decode ' || evt.Parsed.CommandLine contains ' -NoP ' || evt.Parsed.CommandLine contains ' -W Hidden ' || evt.Parsed.CommandLine contains ' /decode ' || evt.Parsed.CommandLine contains ' /ticket:' || evt.Parsed.CommandLine contains ' sekurlsa' || evt.Parsed.CommandLine contains '.dmp full' || evt.Parsed.CommandLine contains '.downloadfile(' || evt.Parsed.CommandLine contains '.downloadstring(' || evt.Parsed.CommandLine contains 'FromBase64String' || evt.Parsed.CommandLine contains 'process call create' || evt.Parsed.CommandLine contains 'reg save ' || evt.Parsed.CommandLine contains 'whoami /priv'))

7blackhole: 2m

8#status: test

9labels:

10 service: windows

11 confidence: 1

12 spoofable: 0

13 classification:

14 - attack.t1505.003

15 - attack.t1018

16 - attack.t1033

17 - attack.t1087

19 label: "Webshell Hacking Activity Patterns"

20 behavior : "windows:audit"

21 remediation: false

23scope:

24 type: ParentProcessId

25 expression: evt.Parsed.ParentProcessId

Hub configuration

« proc_creation_win_webshell_hacking »v0.2 by sigmahqAttack scenarioservice:windowsspoofable:0MITRE:t1505MITRE:t1018MITRE:t1033MITRE:t1087confidence:1

« proc_creation_win_webshell_hacking »
v0.2 by sigmahq
Attack scenarioservice:windowsspoofable:0MITRE:t1505MITRE:t1018MITRE:t1033MITRE:t1087confidence:1