Webshell Detection With Command Line Keywords

Severity: high
Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson
Source: upstream

Detects certain command line parameters often used during reconnaissance activity via web shells

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1505.003` Server Software Component: Web Shell
Discovery	`T1018` Remote System Discovery, `T1033` System Owner/User Discovery, `T1087` Account Discovery

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `1 of selection_webserver_image`

or:
ParentImage|endswith: '\caddy.exe'
ParentImage|endswith: '\httpd.exe'
ParentImage|endswith: '\nginx.exe'
ParentImage|endswith: '\php-cgi.exe'
ParentImage|endswith: '\w3wp.exe'
ParentImage|endswith: '\ws_tomcatservice.exe'

Stage 2: `1 of selection_webserver_characteristics_tomcat1`

or:
ParentImage|endswith: '\java.exe'
ParentImage|endswith: '\javaw.exe'
or:
ParentImage|contains: -tomcat-
ParentImage|contains: '\tomcat'

Stage 3: `1 of selection_webserver_characteristics_tomcat2`

or:
CommandLine|contains: CATALINA_HOME
CommandLine|contains: catalina.jar
or:
ParentImage|endswith: '\java.exe'
ParentImage|endswith: '\javaw.exe'

Stage 4: `1 of selection_susp_net_utility`

or:
CommandLine|contains: ' group '
CommandLine|contains: ' use '
CommandLine|contains: ' user '
OriginalFileName: [net.exe, net1.exe]

Stage 5: `1 of selection_susp_ping_utility`

CommandLine|contains: ' -n '
OriginalFileName: ping.exe

Stage 6: `1 of selection_susp_change_dir`

or:
CommandLine|contains: '&cd&echo'
CommandLine|contains: 'cd /d '

Stage 7: `1 of selection_susp_wmic_utility`

CommandLine|contains: ' /node:'
OriginalFileName: wmic.exe

Stage 8: `1 of selection_susp_powershell_cli`

or:
CommandLine|contains: ' -EncodedCommand '
CommandLine|contains: ' -enc '
CommandLine|contains: ' -w hidden '
CommandLine|contains: ' -windowstyle hidden'
CommandLine|contains: '.WebClient).Download'
or:
Image|endswith: '\cmd.exe'
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'

Stage 9: `1 of selection_susp_misc_discovery_binaries`

or:
Image|endswith: '\dsquery.exe'
Image|endswith: '\find.exe'
Image|endswith: '\findstr.exe'
Image|endswith: '\ipconfig.exe'
Image|endswith: '\netstat.exe'
Image|endswith: '\nslookup.exe'
Image|endswith: '\pathping.exe'
Image|endswith: '\quser.exe'
Image|endswith: '\schtasks.exe'
Image|endswith: '\systeminfo.exe'
Image|endswith: '\tasklist.exe'
Image|endswith: '\tracert.exe'
Image|endswith: '\ver.exe'
Image|endswith: '\wevtutil.exe'
Image|endswith: '\whoami.exe'
OriginalFileName: VSSADMIN.EXE
OriginalFileName: dsquery.exe
OriginalFileName: find.exe
OriginalFileName: findstr.exe
OriginalFileName: ipconfig.exe
OriginalFileName: netstat.exe
OriginalFileName: nslookup.exe
OriginalFileName: pathping.exe
OriginalFileName: quser.exe
OriginalFileName: schtasks.exe
OriginalFileName: sysinfo.exe
OriginalFileName: tasklist.exe
OriginalFileName: tracert.exe
OriginalFileName: ver.exe
OriginalFileName: wevtutil.exe
OriginalFileName: whoami.exe

Stage 10: `1 of selection_susp_misc_discovery_commands`

or:
CommandLine|contains: ' Test-NetConnection '
CommandLine|contains: 'dir \'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`-EncodedCommand` corpus 2 (sigma 2) `-enc` corpus 6 (sigma 6) `-n` corpus 5 (sigma 5) `-w hidden` corpus 3 (sigma 3) `-windowstyle hidden` `/node:` `Test-NetConnection` `group` corpus 2 (sigma 2) `use` corpus 6 (sigma 6) `user` corpus 3 (sigma 3) `&cd&echo` corpus 2 (sigma 2) `.WebClient).Download` `CATALINA_HOME` corpus 3 (sigma 3) `catalina.jar` corpus 3 (sigma 3) `cd /d` `dir \`
`Image`	ends_with	`\cmd.exe` corpus 92 (sigma 92) `\dsquery.exe` corpus 2 (sigma 2) `\find.exe` corpus 8 (sigma 8) `\findstr.exe` corpus 11 (sigma 11) `\ipconfig.exe` corpus 2 (sigma 2) `\netstat.exe` corpus 5 (sigma 5) `\nslookup.exe` corpus 4 (sigma 4) `\pathping.exe` `\powershell.exe` corpus 143 (sigma 143) `\pwsh.exe` corpus 140 (sigma 140) `\quser.exe` corpus 2 (sigma 2) `\schtasks.exe` corpus 45 (sigma 45) `\systeminfo.exe` corpus 9 (sigma 9) `\tasklist.exe` corpus 4 (sigma 4) `\tracert.exe` `\ver.exe` `\wevtutil.exe` corpus 6 (sigma 6) `\whoami.exe` corpus 18 (sigma 18)
`OriginalFileName`	eq	`VSSADMIN.EXE` corpus 3 (sigma 3) `dsquery.exe` corpus 2 (sigma 2) `find.exe` `findstr.exe` `ipconfig.exe` `net.exe` corpus 16 (sigma 16) `net1.exe` corpus 16 (sigma 16) `netstat.exe` `nslookup.exe` `pathping.exe` `ping.exe` `quser.exe` corpus 2 (sigma 2) `schtasks.exe` corpus 14 (sigma 14) `sysinfo.exe` corpus 2 (sigma 2) `tasklist.exe` corpus 2 (sigma 2) `tracert.exe` `ver.exe` `wevtutil.exe` corpus 4 (sigma 4) `whoami.exe` corpus 9 (sigma 9) `wmic.exe` corpus 33 (sigma 33)
`ParentImage`	ends_with	`\caddy.exe` corpus 4 (sigma 4) `\httpd.exe` corpus 6 (sigma 6) `\java.exe` corpus 7 (sigma 7) `\javaw.exe` corpus 5 (sigma 5) `\nginx.exe` corpus 6 (sigma 6) `\php-cgi.exe` corpus 6 (sigma 6) `\w3wp.exe` corpus 8 (sigma 8) `\ws_tomcatservice.exe` corpus 3 (sigma 3)
`ParentImage`	match	`-tomcat-` corpus 4 (sigma 4) `\tomcat` corpus 6 (sigma 6)

Webshell Detection With Command Line Keywords

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: 1 of selection_webserver_image

Stage 2: 1 of selection_webserver_characteristics_tomcat1

Stage 3: 1 of selection_webserver_characteristics_tomcat2

Stage 4: 1 of selection_susp_net_utility

Stage 5: 1 of selection_susp_ping_utility

Stage 6: 1 of selection_susp_change_dir

Stage 7: 1 of selection_susp_wmic_utility

Stage 8: 1 of selection_susp_powershell_cli

Stage 9: 1 of selection_susp_misc_discovery_binaries

Stage 10: 1 of selection_susp_misc_discovery_commands