← Back to Explore
sigmahighHunting
Webshell Hacking Activity Patterns
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
Detection Query
selection_webserver_image:
ParentImage|endswith:
- \caddy.exe
- \httpd.exe
- \nginx.exe
- \php-cgi.exe
- \w3wp.exe
- \ws_tomcatservice.exe
selection_webserver_characteristics_tomcat1:
ParentImage|endswith:
- \java.exe
- \javaw.exe
ParentImage|contains:
- -tomcat-
- \tomcat
selection_webserver_characteristics_tomcat2:
ParentImage|endswith:
- \java.exe
- \javaw.exe
CommandLine|contains:
- catalina.jar
- CATALINA_HOME
selection_child_1:
CommandLine|contains|all:
- rundll32
- comsvcs
selection_child_2:
CommandLine|contains|all:
- " -hp"
- " a "
- " -m"
selection_child_3:
CommandLine|contains|all:
- net
- " user "
- " /add"
selection_child_4:
CommandLine|contains|all:
- net
- " localgroup "
- " administrators "
- /add
selection_child_5:
Image|endswith:
- \ntdsutil.exe
- \ldifde.exe
- \adfind.exe
- \procdump.exe
- \Nanodump.exe
- \vssadmin.exe
- \fsutil.exe
selection_child_6:
CommandLine|contains:
- " -decode "
- " -NoP "
- " -W Hidden "
- " /decode "
- " /ticket:"
- " sekurlsa"
- .dmp full
- .downloadfile(
- .downloadstring(
- FromBase64String
- process call create
- "reg save "
- whoami /priv
condition: 1 of selection_webserver_* and 1 of selection_child_*
Author
Florian Roth (Nextron Systems)
Created
2022-03-17
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.persistenceattack.discoveryattack.t1505.003attack.t1018attack.t1033attack.t1087
Raw Content
title: Webshell Hacking Activity Patterns
id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9
status: test
description: |
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
references:
- https://youtu.be/7aemGhaE9ds?t=641
author: Florian Roth (Nextron Systems)
date: 2022-03-17
modified: 2023-11-09
tags:
- attack.persistence
- attack.discovery
- attack.t1505.003
- attack.t1018
- attack.t1033
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
# Webserver
selection_webserver_image:
ParentImage|endswith:
- '\caddy.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\w3wp.exe'
- '\ws_tomcatservice.exe'
selection_webserver_characteristics_tomcat1:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentImage|contains:
- '-tomcat-'
- '\tomcat'
selection_webserver_characteristics_tomcat2:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
CommandLine|contains:
- 'catalina.jar'
- 'CATALINA_HOME'
# Suspicious child processes
selection_child_1:
# Process dumping
CommandLine|contains|all:
- 'rundll32'
- 'comsvcs'
selection_child_2:
# Winrar exfil
CommandLine|contains|all:
- ' -hp'
- ' a '
- ' -m'
selection_child_3:
# User add
CommandLine|contains|all:
- 'net'
- ' user '
- ' /add'
selection_child_4:
CommandLine|contains|all:
- 'net'
- ' localgroup '
- ' administrators '
- '/add'
selection_child_5:
Image|endswith:
# Credential stealing
- '\ntdsutil.exe'
# AD recon
- '\ldifde.exe'
- '\adfind.exe'
# Process dumping
- '\procdump.exe'
- '\Nanodump.exe'
# Destruction / ransom groups
- '\vssadmin.exe'
- '\fsutil.exe'
selection_child_6:
# SUspicious patterns
CommandLine|contains:
- ' -decode ' # Used with certutil
- ' -NoP ' # Often used in malicious PowerShell commands
- ' -W Hidden ' # Often used in malicious PowerShell commands
- ' /decode ' # Used with certutil
- ' /ticket:' # Rubeus
- ' sekurlsa' # Mimikatz
- '.dmp full' # Process dumping method apart from procdump
- '.downloadfile(' # PowerShell download command
- '.downloadstring(' # PowerShell download command
- 'FromBase64String' # PowerShell encoded payload
- 'process call create' # WMIC process creation
- 'reg save ' # save registry SAM - syskey extraction
- 'whoami /priv'
condition: 1 of selection_webserver_* and 1 of selection_child_*
falsepositives:
- Unlikely
level: high