Hub configuration

More info

1type: trigger

2name: sigmahq/proc_creation_win_webshell_recon_commands_and_processes

3description: |

4 Detects certain command line parameters often used during reconnaissance activity via web shells

5filter: |

6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.ParentImage endsWith '\\w3wp.exe' || evt.Parsed.ParentImage endsWith '\\php-cgi.exe' || evt.Parsed.ParentImage endsWith '\\nginx.exe' || evt.Parsed.ParentImage endsWith '\\httpd.exe' || evt.Parsed.ParentImage endsWith '\\caddy.exe' || evt.Parsed.ParentImage endsWith '\\ws_tomcatservice.exe' || (evt.Parsed.ParentImage endsWith '\\java.exe' || evt.Parsed.ParentImage endsWith '\\javaw.exe') && (evt.Parsed.ParentImage contains '-tomcat-' || evt.Parsed.ParentImage contains '\\tomcat') || (evt.Parsed.ParentImage endsWith '\\java.exe' || evt.Parsed.ParentImage endsWith '\\javaw.exe') && (evt.Parsed.CommandLine contains 'catalina.jar' || evt.Parsed.CommandLine contains 'CATALINA_HOME')) && ((evt.Parsed.OriginalFileName in ['net.exe', 'net1.exe']) && (evt.Parsed.CommandLine contains ' user ' || evt.Parsed.CommandLine contains ' use ' || evt.Parsed.CommandLine contains ' group ') || evt.Parsed.OriginalFileName == 'ping.exe' && evt.Parsed.CommandLine contains ' -n ' || evt.Parsed.CommandLine contains '&cd&echo' || evt.Parsed.CommandLine contains 'cd /d ' || evt.Parsed.OriginalFileName == 'wmic.exe' && evt.Parsed.CommandLine contains ' /node:' || evt.Parsed.Image endsWith '\\dsquery.exe' || evt.Parsed.Image endsWith '\\find.exe' || evt.Parsed.Image endsWith '\\findstr.exe' || evt.Parsed.Image endsWith '\\ipconfig.exe' || evt.Parsed.Image endsWith '\\netstat.exe' || evt.Parsed.Image endsWith '\\nslookup.exe' || evt.Parsed.Image endsWith '\\pathping.exe' || evt.Parsed.Image endsWith '\\quser.exe' || evt.Parsed.Image endsWith '\\schtasks.exe' || evt.Parsed.Image endsWith '\\systeminfo.exe' || evt.Parsed.Image endsWith '\\tasklist.exe' || evt.Parsed.Image endsWith '\\tracert.exe' || evt.Parsed.Image endsWith '\\ver.exe' || evt.Parsed.Image endsWith '\\wevtutil.exe' || evt.Parsed.Image endsWith '\\whoami.exe' || evt.Parsed.OriginalFileName in ['dsquery.exe', 'find.exe', 'findstr.exe', 'ipconfig.exe', 'netstat.exe', 'nslookup.exe', 'pathping.exe', 'quser.exe', 'schtasks.exe', 'sysinfo.exe', 'tasklist.exe', 'tracert.exe', 'ver.exe', 'VSSADMIN.EXE', 'wevtutil.exe', 'whoami.exe'] || evt.Parsed.CommandLine contains ' Test-NetConnection ' || evt.Parsed.CommandLine contains 'dir \\'))

7blackhole: 2m

8#status: test

9labels:

10 service: windows

11 confidence: 1

12 spoofable: 0

13 classification:

14 - attack.t1505.003

15 - attack.t1018

16 - attack.t1033

17 - attack.t1087

19 label: "Webshell Detection With Command Line Keywords"

20 behavior : "windows:audit"

21 remediation: false

23scope:

24 type: ParentProcessId

25 expression: evt.Parsed.ParentProcessId

Hub configuration

« proc_creation_win_webshell_recon_commands_and_processes »v0.2 by sigmahqAttack scenarioservice:windowsspoofable:0MITRE:t1505MITRE:t1018MITRE:t1033MITRE:t1087confidence:1

« proc_creation_win_webshell_recon_commands_and_processes »
v0.2 by sigmahq
Attack scenarioservice:windowsspoofable:0MITRE:t1505MITRE:t1018MITRE:t1033MITRE:t1087confidence:1