Detection rules › Sigma
Webshell Tool Reconnaissance Activity
Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1505.003 Server Software Component: Web Shell |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: 1 of selection_webserver_image
or:
ParentImage|endswith: '\caddy.exe'
ParentImage|endswith: '\httpd.exe'
ParentImage|endswith: '\nginx.exe'
ParentImage|endswith: '\php-cgi.exe'
ParentImage|endswith: '\w3wp.exe'
ParentImage|endswith: '\ws_tomcatservice.exe'
Stage 2: 1 of selection_webserver_characteristics_tomcat1
or:
ParentImage|endswith: '\java.exe'
ParentImage|endswith: '\javaw.exe'
or:
ParentImage|contains: -tomcat-
ParentImage|contains: '\tomcat'
Stage 3: 1 of selection_webserver_characteristics_tomcat2
or:
CommandLine|contains: CATALINA_HOME
CommandLine|contains: catalina.jar
or:
ParentImage|endswith: '\java.exe'
ParentImage|endswith: '\javaw.exe'
Stage 4: selection_recon
or:
CommandLine|contains: 'perl --help'
CommandLine|contains: 'perl -h'
CommandLine|contains: 'python --help'
CommandLine|contains: 'python -h'
CommandLine|contains: 'python3 --help'
CommandLine|contains: 'python3 -h'
CommandLine|contains: 'wget --help'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
ParentImage | ends_with |
|
ParentImage | match |
|