Detectionmediumtest
Potential Webshell Creation On Static Website
Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Beyu Denis, oscd.community, Tim Shelton, Thurein OoCreated Tue Oct 22Updated Sun Oct 1539f1f9f2-9636-45de-98f6-a4046aa8e4b9windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic7 selectors
detection:
selection_wwwroot_path:
TargetFilename|contains: '\inetpub\wwwroot\'
selection_wwwroot_ext:
TargetFilename|contains:
- '.ashx'
- '.asp'
- '.ph'
- '.soap'
selection_htdocs_path:
TargetFilename|contains:
- '\www\'
- '\htdocs\'
- '\html\'
selection_htdocs_ext:
TargetFilename|contains: '.ph'
# selection_tomcat_path:
# TargetFilename|contains: '\webapps\ROOT'
# selection_tomcat_ext:
# TargetFilename|contains:
# - '.jsp' # .jspx, .jspf
# - '.jsv'
# - '.jsw'
filter_main_temp: # FP when unpacking some executables in $TEMP
TargetFilename|contains:
- '\AppData\Local\Temp\'
- '\Windows\Temp\'
filter_main_system:
Image: 'System' # FP when backup/restore from drivers
filter_main_legitimate:
TargetFilename|contains: '\xampp'
condition: (all of selection_wwwroot_* or all of selection_htdocs_*) and not 1 of filter_main_*False Positives
Legitimate administrator or developer creating legitimate executable files in a web application folder
References
1
2Resolving title…
PT ESC rule and personal experienceResolving title…
github.comMITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
39f1f9f2-9636-45de-98f6-a4046aa8e4b9
Status
test
Level
medium
Type
Detection
Created
Tue Oct 22
Modified
Sun Oct 15
Author
Path
rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml
Raw Tags
attack.persistenceattack.t1505.003