Webshell Hacking Activity Patterns

Action1: actionname = "Process started" AND (PARENTPROCESSNAME endswith "\caddy.exe,\httpd.exe,\nginx.exe,\php-cgi.exe,\w3wp.exe,\ws_tomcatservice.exe" OR (PARENTPROCESSNAME endswith "\java.exe,\javaw.exe" AND PARENTPROCESSNAME contains "-tomcat-,\tomcat") OR (PARENTPROCESSNAME endswith "\java.exe,\javaw.exe" AND COMMANDLINE contains "catalina.jar,CATALINA_HOME")) AND ((COMMANDLINE contains "rundll32" AND COMMANDLINE contains "comsvcs") OR (COMMANDLINE contains " -hp" AND COMMANDLINE contains " a " AND COMMANDLINE contains " -m") OR (COMMANDLINE contains "net" AND COMMANDLINE contains " user " AND COMMANDLINE contains " /add") OR (COMMANDLINE contains "net" AND COMMANDLINE contains " localgroup " AND COMMANDLINE contains " administrators " AND COMMANDLINE contains "/add") OR PROCESSNAME endswith "\ntdsutil.exe,\ldifde.exe,\adfind.exe,\procdump.exe,\Nanodump.exe,\vssadmin.exe,\fsutil.exe" OR COMMANDLINE contains " -decode , -NoP , -W Hidden , /decode , /ticket:, sekurlsa,.dmp full,.downloadfile(,.downloadstring(,FromBase64String,process call create,reg save ,whoami /priv") select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME