Find sigma rule

Attack: Server Software Component: Web Shell

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)

In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. China Chopper Web shell client).(Citation: Lee 2013)

MITRE

Tactic

persistence

technique

T1505.003

Test : Web Shell Written to Disk

OS

windows

Description:

This test simulates an adversary leveraging Web Shells by simulating the file modification to disk. Idea from APTSimulator. cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx

Executor

command_prompt

Sigma Rule

file_event_win_webshell_creation_detect.yml (id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test