Threat Huntmediumtest

Execution From Webserver Root Folder

Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Wed Jan 16Updated Thu Jan 1835efb964-e6a5-47ad-bbcd-19661854018dwindows

Hunting Hypothesis

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|contains:
            - '\wwwroot\'
            - '\wmpub\'
            - '\htdocs\'
    filter_main_generic:
        Image|contains:
            - 'bin\'
            - '\Tools\'
            - '\SMSComponent\'
        ParentImage|endswith: '\services.exe'
    condition: selection and not 1 of filter_main_*

False Positives

Various applications

Tools that include ping or nslookup command invocations

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0003 · Persistence

Sub-techniques

T1505.003 · Web Shell

Other

detection.threat-hunting

Rule Metadata

Rule ID

35efb964-e6a5-47ad-bbcd-19661854018d

Status

test

Level

medium

Type

Threat Hunt

Created

Wed Jan 16

Modified

Thu Jan 18

Author

Florian Roth (Nextron Systems)

Path

rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml

Raw Tags

attack.persistenceattack.t1505.003detection.threat-hunting

View on GitHub