Find sigma rule
Attack: Server Software Component: Web Shell
Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)
In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. China Chopper Web shell client).(Citation: Lee 2013)
MITRE
Tactic
- persistence
technique
- T1505.003
Test : Web Shell Written to Disk
OS
- windows
Description:
This test simulates an adversary leveraging Web Shells by simulating the file modification to disk. Idea from APTSimulator. cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
Executor
command_prompt
Sigma Rule
- file_event_win_webshell_creation_detect.yml (id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9)