detection.wiki

Detection rules › Sigma

Webshell Hacking Activity Patterns

Severity
high
Author
Florian Roth (Nextron Systems)
Source
upstream

Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1505.003 Server Software Component: Web Shell
DiscoveryT1018 Remote System Discovery, T1033 System Owner/User Discovery, T1087 Account Discovery

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: 1 of selection_webserver_image

or:
ParentImage|endswith: '\caddy.exe'
ParentImage|endswith: '\httpd.exe'
ParentImage|endswith: '\nginx.exe'
ParentImage|endswith: '\php-cgi.exe'
ParentImage|endswith: '\w3wp.exe'
ParentImage|endswith: '\ws_tomcatservice.exe'

Stage 2: 1 of selection_webserver_characteristics_tomcat1

or:
ParentImage|endswith: '\java.exe'
ParentImage|endswith: '\javaw.exe'
or:
ParentImage|contains: -tomcat-
ParentImage|contains: '\tomcat'

Stage 3: 1 of selection_webserver_characteristics_tomcat2

or:
CommandLine|contains: CATALINA_HOME
CommandLine|contains: catalina.jar
or:
ParentImage|endswith: '\java.exe'
ParentImage|endswith: '\javaw.exe'

Stage 4: 1 of selection_child_1

CommandLine|contains: comsvcs
CommandLine|contains: rundll32

Stage 5: 1 of selection_child_2

CommandLine|contains: ' -hp'
CommandLine|contains: ' -m'
CommandLine|contains: ' a '

Stage 6: 1 of selection_child_3

CommandLine|contains: ' /add'
CommandLine|contains: ' user '
CommandLine|contains: net

Stage 7: 1 of selection_child_4

CommandLine|contains: ' administrators '
CommandLine|contains: ' localgroup '
CommandLine|contains: '/add'
CommandLine|contains: net

Stage 8: 1 of selection_child_5

or:
Image|endswith: '\Nanodump.exe'
Image|endswith: '\adfind.exe'
Image|endswith: '\fsutil.exe'
Image|endswith: '\ldifde.exe'
Image|endswith: '\ntdsutil.exe'
Image|endswith: '\procdump.exe'
Image|endswith: '\vssadmin.exe'

Stage 9: 1 of selection_child_6

or:
CommandLine|contains: ' -NoP '
CommandLine|contains: ' -W Hidden '
CommandLine|contains: ' -decode '
CommandLine|contains: ' /decode '
CommandLine|contains: ' /ticket:'
CommandLine|contains: ' sekurlsa'
CommandLine|contains: '.dmp full'
CommandLine|contains: '.downloadfile('
CommandLine|contains: '.downloadstring('
CommandLine|contains: FromBase64String
CommandLine|contains: 'process call create'
CommandLine|contains: 'reg save '
CommandLine|contains: 'whoami /priv'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • -NoP corpus 2 (sigma 2)
  • -W Hidden corpus 2 (sigma 2)
  • -decode corpus 4 (sigma 4)
  • -hp corpus 3 (sigma 3)
  • -m corpus 3 (sigma 3)
  • /add corpus 5 (sigma 5)
  • /decode corpus 2 (sigma 2)
  • /ticket: corpus 2 (sigma 2)
  • a corpus 4 (sigma 4)
  • administrators corpus 2 (sigma 2)
  • localgroup corpus 2 (sigma 2)
  • sekurlsa
  • user corpus 3 (sigma 3)
  • .dmp full
  • .downloadfile( corpus 3 (sigma 3)
  • .downloadstring( corpus 3 (sigma 3)
  • /add corpus 3 (sigma 3)
  • CATALINA_HOME corpus 3 (sigma 3)
  • FromBase64String corpus 7 (sigma 7)
  • catalina.jar corpus 3 (sigma 3)
  • comsvcs corpus 2 (sigma 2)
  • net
  • process call create
  • reg save
  • rundll32 corpus 19 (sigma 19)
  • whoami /priv
Imageends_with
  • \Nanodump.exe
  • \adfind.exe
  • \fsutil.exe corpus 4 (sigma 4)
  • \ldifde.exe corpus 3 (sigma 3)
  • \ntdsutil.exe corpus 4 (sigma 4)
  • \procdump.exe corpus 6 (sigma 6)
  • \vssadmin.exe corpus 5 (sigma 5)
ParentImageends_with
  • \caddy.exe corpus 4 (sigma 4)
  • \httpd.exe corpus 6 (sigma 6)
  • \java.exe corpus 7 (sigma 7)
  • \javaw.exe corpus 5 (sigma 5)
  • \nginx.exe corpus 6 (sigma 6)
  • \php-cgi.exe corpus 6 (sigma 6)
  • \w3wp.exe corpus 8 (sigma 8)
  • \ws_tomcatservice.exe corpus 3 (sigma 3)
ParentImagematch
  • -tomcat- corpus 4 (sigma 4)
  • \tomcat corpus 6 (sigma 6)