EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Windows Webshell Strings

Detects common commands used in Windows webshells

MITRE ATT&CK

T1505.003
persistence

Detection Query

selection_method:
  cs-method: GET
selection_keywords:
  - =whoami
  - =net%20user
  - =net+user
  - =net%2Buser
  - =cmd%20/c%
  - =cmd+/c+
  - =cmd%2B/c%
  - =cmd%20/r%
  - =cmd+/r+
  - =cmd%2B/r%
  - =cmd%20/k%
  - =cmd+/k+
  - =cmd%2B/k%
  - =powershell%
  - =powershell+
  - =tasklist%
  - =tasklist+
  - =wmic%
  - =wmic+
  - =ssh%
  - =ssh+
  - =python%
  - =python+
  - =python3%
  - =python3+
  - =ipconfig
  - =wget%
  - =wget+
  - =curl%
  - =curl+
  - =certutil
  - =copy%20%5C%5C
  - =dsquery%
  - =dsquery+
  - =nltest%
  - =nltest+
condition: all of selection_*

Author

Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)

Created

2017-02-19

Data Sources

webserver

References

Tags

attack.persistenceattack.t1505.003
Raw Content
title: Windows Webshell Strings
id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729
status: test
description: Detects common commands used in Windows webshells
references:
    - https://bad-jubies.github.io/RCE-NOW-WHAT/
    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-02-19
modified: 2022-11-18
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    category: webserver
detection:
    selection_method:
        cs-method: 'GET'
    selection_keywords:
        # The "%20" is URL encoded version of the space
        # The "%2B" is URL encoded version of the "+"
        - '=whoami'
        - '=net%20user'
        - '=net+user'
        - '=net%2Buser'
        - '=cmd%20/c%'
        - '=cmd+/c+'
        - '=cmd%2B/c%'
        - '=cmd%20/r%'
        - '=cmd+/r+'
        - '=cmd%2B/r%'
        - '=cmd%20/k%'
        - '=cmd+/k+'
        - '=cmd%2B/k%'
        - '=powershell%'
        - '=powershell+'
        - '=tasklist%'
        - '=tasklist+'
        - '=wmic%'
        - '=wmic+'
        - '=ssh%'
        - '=ssh+'
        - '=python%'
        - '=python+'
        - '=python3%'
        - '=python3+'
        - '=ipconfig'
        - '=wget%'
        - '=wget+'
        - '=curl%'
        - '=curl+'
        - '=certutil'
        - '=copy%20%5C%5C'
        - '=dsquery%'
        - '=dsquery+'
        - '=nltest%'
        - '=nltest+'
    condition: all of selection_*
falsepositives:
    - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
    - User searches in search boxes of the respective website
level: high