Potential Webshell Creation On Static Website

Severity: medium
Author: Beyu Denis, oscd.community, Tim Shelton, Thurein Oo
Source: upstream

Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1505.003` Server Software Component: Web Shell

Event coverage

Provider	Event ID	Title
Sysmon	11	FileCreate

Stages and Predicates

Stage 1: `all of selection_wwwroot_path`

TargetFilename|contains: '\inetpub\wwwroot\'

Stage 2: `all of selection_wwwroot_ext`

or:
TargetFilename|contains: .ashx
TargetFilename|contains: .asp
TargetFilename|contains: .ph
TargetFilename|contains: .soap

Stage 3: `all of selection_htdocs_path`

or:
TargetFilename|contains: '\htdocs\'
TargetFilename|contains: '\html\'
TargetFilename|contains: '\www\'

Stage 4: `all of selection_htdocs_ext`

TargetFilename|contains: .ph

Stage 5: `not 1 of filter_main_*`

or:
Image: System
TargetFilename|contains: '\AppData\Local\Temp\'
TargetFilename|contains: '\Windows\Temp\'
TargetFilename|contains: '\xampp'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	eq	`System` corpus 8 (sigma 8)
`TargetFilename`	match	`.ashx` `.asp` `.ph` `.soap` `\AppData\Local\Temp\` corpus 11 (sigma 11) `\Windows\Temp\` corpus 3 (sigma 3) `\htdocs\` `\html\` `\inetpub\wwwroot\` corpus 2 (sigma 2) `\www\` `\xampp`

Potential Webshell Creation On Static Website

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: all of selection_wwwroot_path

Stage 2: all of selection_wwwroot_ext

Stage 3: all of selection_htdocs_path