EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Potential Webshell Creation On Static Website

Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.

MITRE ATT&CK

T1505.003
persistence

Detection Query

selection_wwwroot_path:
  TargetFilename|contains: \inetpub\wwwroot\
selection_wwwroot_ext:
  TargetFilename|contains:
    - .ashx
    - .asp
    - .ph
    - .soap
selection_htdocs_path:
  TargetFilename|contains:
    - \www\
    - \htdocs\
    - \html\
selection_htdocs_ext:
  TargetFilename|contains: .ph
filter_main_temp:
  TargetFilename|contains:
    - \AppData\Local\Temp\
    - \Windows\Temp\
filter_main_system:
  Image: System
filter_main_legitimate:
  TargetFilename|contains: \xampp
condition: (all of selection_wwwroot_* or all of selection_htdocs_*) and not 1
  of filter_main_*

Author

Beyu Denis, oscd.community, Tim Shelton, Thurein Oo

Created

2019-10-22

Data Sources

windowsFile Events

Platforms

windows

References

Tags

attack.persistenceattack.t1505.003
Raw Content
title: Potential Webshell Creation On Static Website
id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
status: test
description: Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
references:
    - PT ESC rule and personal experience
    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md
author: Beyu Denis, oscd.community, Tim Shelton, Thurein Oo
date: 2019-10-22
modified: 2023-10-15
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    product: windows
    category: file_event
detection:
    selection_wwwroot_path:
        TargetFilename|contains: '\inetpub\wwwroot\'
    selection_wwwroot_ext:
        TargetFilename|contains:
            - '.ashx'
            - '.asp'
            - '.ph'
            - '.soap'
    selection_htdocs_path:
        TargetFilename|contains:
            - '\www\'
            - '\htdocs\'
            - '\html\'
    selection_htdocs_ext:
        TargetFilename|contains: '.ph'
    # selection_tomcat_path:
    #     TargetFilename|contains: '\webapps\ROOT'
    # selection_tomcat_ext:
    #     TargetFilename|contains:
    #         - '.jsp' # .jspx, .jspf
    #         - '.jsv'
    #         - '.jsw'
    filter_main_temp:  # FP when unpacking some executables in $TEMP
        TargetFilename|contains:
            - '\AppData\Local\Temp\'
            - '\Windows\Temp\'
    filter_main_system:
        Image: 'System' # FP when backup/restore from drivers
    filter_main_legitimate:
        TargetFilename|contains: '\xampp'
    condition: (all of selection_wwwroot_* or all of selection_htdocs_*) and not 1 of filter_main_*
falsepositives:
    - Legitimate administrator or developer creating legitimate executable files in a web application folder
level: medium