diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/README.md b/rules-emerging-threats/2023/TA/Lace-Tempest/README.md new file mode 100644 index 00000000000..345a18f7745 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/README.md @@ -0,0 +1,17 @@ +# Lace Tempest SysAid CVE-2023-47246 Exploitation + +## Summary + +A zero-day vulnerability in the SysAid on-premises software was exploited by DEV-0950 (Lace Tempest). Where the threat actor uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service. The WebShell provided the attacker with unauthorized access and control over the affected system. Subsequently, the attacker utilized a PowerShell script, deployed through the WebShell, to execute a malware loader named user.exe on the compromised host, which was used to load the GraceWire trojan + +You can find more information on the threat in the following articles: + +- [SysAid On-Prem Software CVE-2023-47246 Vulnerability](https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification) + +## Rules + +- [Lace Tempest File Indicators](./file_event_win_apt_lace_tempest_indicators.yml) +- [Lace Tempest PowerShell Evidence Eraser](./posh_ps_apt_lace_tempest_eraser_script.yml) +- [Lace Tempest PowerShell Launcher](./posh_ps_apt_lace_tempest_malware_launcher.yml) +- [Lace Tempest Cobalt Strike Download](./proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml) +- [Lace Tempest Malware Loader Execution](./proc_creation_win_apt_lace_tempest_loader_execution.yml) diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml new file mode 100644 index 00000000000..3d2ac26c8d2 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml @@ -0,0 +1,25 @@ +title: Lace Tempest File Indicators +id: e94486ea-2650-4548-bf25-88cbd0bb32d7 +status: experimental +description: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7 +references: + - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/11/09 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: file_event + product: windows +detection: + selection: + - TargetFilename|endswith: + - ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe' + - ':\Program Files\SysAidServer\tomcat\webapps\usersfiles.war' + - ':\Program Files\SysAidServer\tomcat\webapps\leave' + - TargetFilename|contains: ':\Program Files\SysAidServer\tomcat\webapps\user.' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml new file mode 100644 index 00000000000..7a8a8ddfdc6 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml @@ -0,0 +1,30 @@ +title: Lace Tempest PowerShell Evidence Eraser +id: b377ddab-502d-4519-9e8c-5590033d2d70 +status: experimental +description: | + Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team +references: + - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/11/09 +tags: + - attack.execution + - attack.t1059.001 + - detection.emerging_threats +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + selection: + ScriptBlockText|contains|all: + - 'cleanLL' + - 'usersfiles.war' + - 'Remove-Item -Path "$tomcat_dir' + - 'SysAidServer' + - 'sleep ' + - 'while(1)' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml new file mode 100644 index 00000000000..a8cb343ff01 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml @@ -0,0 +1,29 @@ +title: Lace Tempest PowerShell Launcher +id: 37dc5463-f7e3-4f61-ad76-ba59cd02a651 +status: experimental +description: | + Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team +references: + - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/11/09 +tags: + - attack.execution + - attack.t1059.001 + - detection.emerging_threats +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + selection: + ScriptBlockText|contains|all: + - '\SysAidServer\tomcat\webapps' + - 'Starting user.exe' + - '\usersfiles\user.exe' + - 'Remove-Item -Force "$wapps' + - '(Sophos).' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml new file mode 100644 index 00000000000..c6e118e5ef8 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml @@ -0,0 +1,23 @@ +title: Lace Tempest Cobalt Strike Download +id: aa5b0a40-ed88-46aa-9fdc-0337b379ca9d +status: experimental +description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team +references: + - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/11/09 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - -nop -w hidden -c IEX ((new-object net.webclient).downloadstring( + - /a') + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml new file mode 100644 index 00000000000..911078ce8fb --- /dev/null +++ b/rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml @@ -0,0 +1,23 @@ +title: Lace Tempest Malware Loader Execution +id: 745ea50b-9673-4ba7-9426-cb45cf4a8e6d +status: experimental +description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team +references: + - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/11/09 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + selection_img: + Image|endswith: ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe' + selection_hash: + Hashes|contains: 'SHA256=B5ACF14CDAC40BE590318DEE95425D0746E85B1B7B1CBD14DA66F21F2522BF4D' + condition: 1 of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml index 9d556c12dc5..299f7a56a84 100644 --- a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml @@ -1,10 +1,13 @@ -title: Suspicious Shells Spawned by Java +title: Suspicious Processes Spawned by Java.EXE id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d +related: + - id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0 + type: similar status: experimental -description: Detects suspicious shell spawned from Java host process (e.g. log4j exploitation) +description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j) author: Andreas Hunkeler (@Karneades), Florian Roth date: 2021/12/17 -modified: 2023/01/21 +modified: 2023/11/09 tags: - attack.initial_access - attack.persistence @@ -16,32 +19,30 @@ detection: selection: ParentImage|endswith: '\java.exe' Image|endswith: - - '\sh.exe' + - '\AppVLP.exe' - '\bash.exe' - - '\powershell.exe' - - '\pwsh.exe' - - '\schtasks.exe' - - '\certutil.exe' - - '\whoami.exe' - '\bitsadmin.exe' - - '\wscript.exe' + - '\certutil.exe' - '\cscript.exe' - - '\scrcons.exe' - - '\regsvr32.exe' - - '\hh.exe' - - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ - - '\mshta.exe' - - '\rundll32.exe' + - '\curl.exe' - '\forfiles.exe' - - '\scriptrunner.exe' + - '\hh.exe' - '\mftrace.exe' - - '\AppVLP.exe' - - '\curl.exe' - - '\systeminfo.exe' + - '\mshta.exe' - '\net.exe' - '\net1.exe' - - '\reg.exe' - '\query.exe' + - '\reg.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\schtasks.exe' + - '\scrcons.exe' + - '\scriptrunner.exe' + - '\sh.exe' + - '\systeminfo.exe' + - '\whoami.exe' + - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ + - '\wscript.exe' condition: selection falsepositives: - Legitimate calls to system binaries diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml index 853b2611f3e..0255a32e2f2 100644 --- a/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml +++ b/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml @@ -1,10 +1,13 @@ -title: Shells Spawned by Java +title: Shell Process Spawned by Java.EXE id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0 +related: + - id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d + type: similar status: test description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation) author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali date: 2021/12/17 -modified: 2022/07/27 +modified: 2023/11/09 tags: - attack.initial_access - attack.persistence @@ -19,10 +22,10 @@ detection: - '\cmd.exe' - '\powershell.exe' - '\pwsh.exe' - filter: + filter_main_build: ParentImage|contains: 'build' # excluding CI build agents CommandLine|contains: 'build' # excluding CI build agents - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - Legitimate calls to system binaries - Company specific internal usage diff --git a/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml b/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml index b2644fc9bf0..3a87945a630 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml @@ -29,7 +29,7 @@ detection: - '&dir&echo' - '&echo [E]' - '&echo [S]' - condition: all of selection* + condition: all of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml b/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml index e192f9f81e4..2b3dbc800d9 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml @@ -1,12 +1,13 @@ title: Webshell Hacking Activity Patterns id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9 status: test -description: Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system +description: | + Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system references: - https://youtu.be/7aemGhaE9ds?t=641 author: Florian Roth (Nextron Systems) date: 2022/03/17 -modified: 2022/08/04 +modified: 2023/11/09 tags: - attack.persistence - attack.t1505.003 @@ -20,11 +21,11 @@ detection: # Webserver selection_webserver_image: ParentImage|endswith: - - '\w3wp.exe' - - '\php-cgi.exe' - - '\nginx.exe' - - '\httpd.exe' - '\caddy.exe' + - '\httpd.exe' + - '\nginx.exe' + - '\php-cgi.exe' + - '\w3wp.exe' - '\ws_tomcatservice.exe' selection_webserver_characteristics_tomcat1: ParentImage|endswith: @@ -80,20 +81,20 @@ detection: selection_child_6: # SUspicious patterns CommandLine|contains: + - ' -decode ' # Used with certutil - ' -NoP ' # Often used in malicious PowerShell commands - ' -W Hidden ' # Often used in malicious PowerShell commands - - ' -decode ' # Used with certutil - ' /decode ' # Used with certutil - - 'reg save ' # save registry SAM - syskey extraction - - '.downloadstring(' # PowerShell download command - - '.downloadfile(' # PowerShell download command - - 'FromBase64String' # PowerShell encoded payload - ' /ticket:' # Rubeus - ' sekurlsa' # Mimikatz - '.dmp full' # Process dumping method apart from procdump + - '.downloadfile(' # PowerShell download command + - '.downloadstring(' # PowerShell download command + - 'FromBase64String' # PowerShell encoded payload - 'process call create' # WMIC process creation + - 'reg save ' # save registry SAM - syskey extraction - 'whoami /priv' - condition: 1 of selection_webserver* and 1 of selection_child* + condition: 1 of selection_webserver_* and 1 of selection_child_* falsepositives: - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_webshell_detection.yml b/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml similarity index 82% rename from rules/windows/process_creation/proc_creation_win_webshell_detection.yml rename to rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml index 34edc76511b..67e6d15358c 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_detection.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml @@ -40,7 +40,7 @@ detection: CommandLine|contains: - 'catalina.jar' - 'CATALINA_HOME' - susp_net_utility: + selection_susp_net_utility: OriginalFileName: - 'net.exe' - 'net1.exe' @@ -48,49 +48,55 @@ detection: - ' user ' - ' use ' - ' group ' - susp_ping_utility: + selection_susp_ping_utility: OriginalFileName: 'ping.exe' CommandLine|contains: ' -n ' - susp_change_dir: + selection_susp_change_dir: CommandLine|contains: - '&cd&echo' # china chopper web shell - 'cd /d ' # https://www.computerhope.com/cdhlp.htm - susp_wmic_utility: + selection_susp_wmic_utility: OriginalFileName: 'wmic.exe' CommandLine|contains: ' /node:' - susp_misc_discovery_binaries: + selection_susp_misc_discovery_binaries: - Image|endswith: - - '\whoami.exe' - - '\systeminfo.exe' - - '\quser.exe' + - '\dsquery.exe' + - '\find.exe' + - '\findstr.exe' - '\ipconfig.exe' - - '\pathping.exe' - - '\tracert.exe' - '\netstat.exe' + - '\nslookup.exe' + - '\pathping.exe' + - '\quser.exe' - '\schtasks.exe' - - '\vssadmin.exe' - - '\wevtutil.exe' + - '\systeminfo.exe' - '\tasklist.exe' + - '\tracert.exe' + - '\ver.exe' + - '\wevtutil.exe' + - '\whoami.exe' - OriginalFileName: - - 'whoami.exe' - - 'sysinfo.exe' - - 'quser.exe' + - 'dsquery.exe' + - 'find.exe' + - 'findstr.exe' - 'ipconfig.exe' - - 'pathping.exe' - - 'tracert.exe' - 'netstat.exe' + - 'nslookup.exe' + - 'pathping.exe' + - 'quser.exe' - 'schtasks.exe' + - 'sysinfo.exe' + - 'tasklist.exe' + - 'tracert.exe' + - 'ver.exe' - 'VSSADMIN.EXE' - 'wevtutil.exe' - - 'tasklist.exe' - susp_misc_discovery_commands: + - 'whoami.exe' + selection_susp_misc_discovery_commands: CommandLine|contains: - ' Test-NetConnection ' - 'dir \' # remote dir: dir \\C$:\windows\temp\*.exe - condition: 1 of selection* and 1 of susp* -fields: - - CommandLine - - ParentCommandLine + condition: 1 of selection_webserver_* and 1 of selection_susp_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml b/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml similarity index 74% rename from rules/windows/process_creation/proc_creation_win_webshell_spawn.yml rename to rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml index e7da4c834b2..d772f5324f8 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml @@ -1,12 +1,13 @@ -title: Shells Spawned by Web Servers +title: Suspicious Process By Web Server Process id: 8202070f-edeb-4d31-a010-a26c72ac5600 status: test -description: Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack +description: | + Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation references: - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2019/01/16 -modified: 2022/09/19 +modified: 2023/11/09 tags: - attack.persistence - attack.t1505.003 @@ -17,15 +18,15 @@ logsource: detection: selection_webserver_image: ParentImage|endswith: - - '\w3wp.exe' - - '\php.exe' - - '\php-cgi.exe' - - '\nginx.exe' - - '\httpd.exe' - '\caddy.exe' - - '\ws_TomcatService.exe' + - '\httpd.exe' + - '\nginx.exe' + - '\php-cgi.exe' + - '\php.exe' - '\tomcat.exe' - '\UMWorkerProcess.exe' # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html + - '\w3wp.exe' + - '\ws_TomcatService.exe' selection_webserver_characteristics_tomcat1: ParentImage|endswith: - '\java.exe' @@ -38,67 +39,49 @@ detection: - '\java.exe' - '\javaw.exe' ParentCommandLine|contains: - - 'catalina.jar' - 'CATALINA_HOME' - 'catalina.home' - anomaly_children: + - 'catalina.jar' + selection_anomaly_children: Image|endswith: - - '\cmd.exe' - - '\cscript.exe' - - '\sh.exe' - - '\bash.exe' - - '\powershell.exe' - - '\powershell_ise.exe' - - '\pwsh.exe' - - '\bitsadmin.exe' - '\arp.exe' - '\at.exe' + - '\bash.exe' + - '\bitsadmin.exe' - '\certutil.exe' + - '\cmd.exe' + - '\cscript.exe' - '\dsget.exe' - - '\dsquery.exe' - - '\find.exe' - - '\findstr.exe' - - '\fsutil.exe' - '\hostname.exe' - - '\ipconfig.exe' - '\nbtstat.exe' - '\net.exe' - '\net1.exe' - '\netdom.exe' - '\netsh.exe' - - '\netstat.exe' - '\nltest.exe' - - '\nslookup.exe' - '\ntdutil.exe' - - '\pathping.exe' - - '\ping.exe' + - '\powershell_ise.exe' + - '\powershell.exe' + - '\pwsh.exe' - '\qprocess.exe' - '\query.exe' - '\qwinsta.exe' - '\reg.exe' - '\rundll32.exe' - '\sc.exe' - - '\schtasks.exe' - - '\systeminfo.exe' - - '\tasklist.exe' - - '\tracert.exe' - - '\ver.exe' - - '\vssadmin.exe' - - '\wevtutil.exe' - - '\whoami.exe' + - '\sh.exe' - '\wmic.exe' - '\wscript.exe' - '\wusa.exe' - false_positive1: + filter_main_fp_1: + ParentImage|endswith: '\java.exe' CommandLine|endswith: 'Windows\system32\cmd.exe /c C:\ManageEngine\ADManager "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt' - false_positive2: + filter_main_fp_2: + ParentImage|endswith: '\java.exe' CommandLine|contains|all: - 'sc query' - 'ADManager Plus' - condition: 1 of selection* and anomaly_children and not 1 of false_positive* -fields: - - CommandLine - - ParentCommandLine + condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_** falsepositives: - Particular web applications may spawn a shell process legitimately level: high diff --git a/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml b/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml similarity index 73% rename from rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml rename to rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml index 2367b9c7984..1358e328b79 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml @@ -1,12 +1,13 @@ -title: Webshell Recon Detection Via CommandLine & Processes +title: Webshell Tool Reconnaissance Activity id: f64e5c19-879c-4bae-b471-6d84c8339677 status: test -description: Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands +description: | + Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands references: - https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html -author: Cian Heasley, Florian Roth +author: Cian Heasley, Florian Roth (Nextron Systems) date: 2020/07/22 -modified: 2022/07/27 +modified: 2023/11/09 tags: - attack.persistence - attack.t1505.003 @@ -16,11 +17,11 @@ logsource: detection: selection_webserver_image: ParentImage|endswith: - - '\w3wp.exe' - - '\php-cgi.exe' - - '\nginx.exe' - - '\httpd.exe' - '\caddy.exe' + - '\httpd.exe' + - '\nginx.exe' + - '\php-cgi.exe' + - '\w3wp.exe' - '\ws_tomcatservice.exe' selection_webserver_characteristics_tomcat1: ParentImage|endswith: @@ -34,22 +35,18 @@ detection: - '\java.exe' - '\javaw.exe' CommandLine|contains: - - 'catalina.jar' - 'CATALINA_HOME' - recon: + - 'catalina.jar' + selection_recon: CommandLine|contains: - 'perl --help' + - 'perl -h' - 'python --help' - 'python -h' - 'python3 --help' - 'python3 -h' - 'wget --help' - - 'perl -h' - condition: 1 of selection* and recon -fields: - - Image - - CommandLine - - ParentCommandLine + condition: 1 of selection_webserver_* and selection_recon falsepositives: - Unknown level: high