Webshell Detection With Command Line Keywords
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects certain command line parameters often used during reconnaissance activity via web shells
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "Process started" AND (PARENTPROCESSNAME endswith "\w3wp.exe,\php-cgi.exe,\nginx.exe,\httpd.exe,\caddy.exe,\ws_tomcatservice.exe" OR (PARENTPROCESSNAME endswith "\java.exe,\javaw.exe" AND PARENTPROCESSNAME contains "-tomcat-,\tomcat") OR (PARENTPROCESSNAME endswith "\java.exe,\javaw.exe" AND COMMANDLINE contains "catalina.jar,CATALINA_HOME")) AND ((ORIGINALFILENAME = "net.exe,net1.exe" AND COMMANDLINE contains " user , use , group ") OR (ORIGINALFILENAME = "ping.exe" AND COMMANDLINE contains " -n ") OR COMMANDLINE contains "&cd&echo,cd /d " OR (ORIGINALFILENAME = "wmic.exe" AND COMMANDLINE contains " /node:") OR (PROCESSNAME endswith "\cmd.exe,\powershell.exe,\pwsh.exe" AND COMMANDLINE contains " -enc , -EncodedCommand , -w hidden , -windowstyle hidden,.WebClient).Download") OR (PROCESSNAME endswith "\dsquery.exe,\find.exe,\findstr.exe,\ipconfig.exe,\netstat.exe,\nslookup.exe,\pathping.exe,\quser.exe,\schtasks.exe,\systeminfo.exe,\tasklist.exe,\tracert.exe,\ver.exe,\wevtutil.exe,\whoami.exe" OR ORIGINALFILENAME = "dsquery.exe,find.exe,findstr.exe,ipconfig.exe,netstat.exe,nslookup.exe,pathping.exe,quser.exe,schtasks.exe,sysinfo.exe,tasklist.exe,tracert.exe,ver.exe,VSSADMIN.EXE,wevtutil.exe,whoami.exe") OR COMMANDLINE contains " Test-NetConnection ,dir ") select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson
