Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Webshell ReGeorg Detection Via Web Logs

Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Cian HeasleyCreated Tue Aug 04Updated Mon Jan 022ea44a60-cfda-11ea-87d0-0242ac130003web
Log Source
Web Server Log
CategoryWeb Server Log← raw: webserver

HTTP access logs from web servers capturing request paths, methods, and status codes.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        cs-uri-query|contains:
            - 'cmd=read'
            - 'connect&target'
            - 'cmd=connect'
            - 'cmd=disconnect'
            - 'cmd=forward'
    filter:
        cs-referer: null
        cs-user-agent: null
        cs-method: POST
    condition: selection and filter
False Positives

Web applications that use the same URL parameters as ReGeorg

References
1
Resolving title…
community.rsa.com
2
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
2ea44a60-cfda-11ea-87d0-0242ac130003
Status
test
Level
high
Type
Detection
Created
Tue Aug 04
Modified
Mon Jan 02
Author
Cian Heasley
Path
rules/web/webserver_generic/web_webshell_regeorg.yml
Raw Tags
attack.persistenceattack.t1505.003
View on GitHub