Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Webshell Hacking Activity Patterns

Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Thu Mar 17Updated Thu Nov 094ebc877f-4612-45cb-b3a5-8e3834db36c9windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic9 selectors
detection:
   # Webserver
    selection_webserver_image:
        ParentImage|endswith:
            - '\caddy.exe'
            - '\httpd.exe'
            - '\nginx.exe'
            - '\php-cgi.exe'
            - '\w3wp.exe'
            - '\ws_tomcatservice.exe'
    selection_webserver_characteristics_tomcat1:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        ParentImage|contains:
            - '-tomcat-'
            - '\tomcat'
    selection_webserver_characteristics_tomcat2:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        CommandLine|contains:
            - 'catalina.jar'
            - 'CATALINA_HOME'
    # Suspicious child processes
    selection_child_1:
        # Process dumping
        CommandLine|contains|all:
            - 'rundll32'
            - 'comsvcs'
    selection_child_2:
        # Winrar exfil
        CommandLine|contains|all:
            - ' -hp'
            - ' a '
            - ' -m'
    selection_child_3:
        # User add
        CommandLine|contains|all:
            - 'net'
            - ' user '
            - ' /add'
    selection_child_4:
        CommandLine|contains|all:
            - 'net'
            - ' localgroup '
            - ' administrators '
            - '/add'
    selection_child_5:
        Image|endswith:
            # Credential stealing
            - '\ntdsutil.exe'
            # AD recon
            - '\ldifde.exe'
            - '\adfind.exe'
            # Process dumping
            - '\procdump.exe'
            - '\Nanodump.exe'
            # Destruction / ransom groups
            - '\vssadmin.exe'
            - '\fsutil.exe'
    selection_child_6:
        # SUspicious patterns
        CommandLine|contains:
            - ' -decode '  # Used with certutil
            - ' -NoP '  # Often used in malicious PowerShell commands
            - ' -W Hidden '  # Often used in malicious PowerShell commands
            - ' /decode '  # Used with certutil
            - ' /ticket:'  # Rubeus
            - ' sekurlsa'  # Mimikatz
            - '.dmp full'  # Process dumping method apart from procdump
            - '.downloadfile('  # PowerShell download command
            - '.downloadstring('  # PowerShell download command
            - 'FromBase64String' # PowerShell encoded payload
            - 'process call create' # WMIC process creation
            - 'reg save '  # save registry SAM - syskey extraction
            - 'whoami /priv'
    condition: 1 of selection_webserver_* and 1 of selection_child_*
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
youtu.be
MITRE ATT&CK
Rule Metadata
Rule ID
4ebc877f-4612-45cb-b3a5-8e3834db36c9
Status
test
Level
high
Type
Detection
Created
Thu Mar 17
Modified
Thu Nov 09
Author
Florian Roth (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_webshell_hacking.yml
Raw Tags
attack.persistenceattack.discoveryattack.t1505.003attack.t1018attack.t1033attack.t1087
View on GitHub