Adversaries may create files with webshell extensions on a static website to establish persistent access and execute arbitrary code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential webshell deployments early.
Detection Rule
title: Potential Webshell Creation On Static Website
id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
status: test
description: Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
references:
- PT ESC rule and personal experience
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md
author: Beyu Denis, oscd.community, Tim Shelton, Thurein Oo
date: 2019-10-22
modified: 2023-10-15
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: windows
category: file_event
detection:
selection_wwwroot_path:
TargetFilename|contains: '\inetpub\wwwroot\'
selection_wwwroot_ext:
TargetFilename|contains:
- '.ashx'
- '.asp'
- '.ph'
- '.soap'
selection_htdocs_path:
TargetFilename|contains:
- '\www\'
- '\htdocs\'
- '\html\'
selection_htdocs_ext:
TargetFilename|contains: '.ph'
# selection_tomcat_path:
# TargetFilename|contains: '\webapps\ROOT'
# selection_tomcat_ext:
# TargetFilename|contains:
# - '.jsp' # .jspx, .jspf
# - '.jsv'
# - '.jsw'
filter_main_temp: # FP when unpacking some executables in $TEMP
TargetFilename|contains:
- '\AppData\Local\Temp\'
- '\Windows\Temp\'
filter_main_system:
Image: 'System' # FP when backup/restore from drivers
filter_main_legitimate:
TargetFilename|contains: '\xampp'
condition: (all of selection_wwwroot_* or all of selection_htdocs_*) and not 1 of filter_main_*
falsepositives:
- Legitimate administrator or developer creating legitimate executable files in a web application folder
level: medium
imFileEvent
| where ((TargetFileName contains "\\inetpub\\wwwroot\\" and (TargetFileName contains ".ashx" or TargetFileName contains ".asp" or TargetFileName contains ".ph" or TargetFileName contains ".soap")) or ((TargetFileName contains "\\www\\" or TargetFileName contains "\\htdocs\\" or TargetFileName contains "\\html\\") and TargetFileName contains ".ph")) and (not(((TargetFileName contains "\\AppData\\Local\\Temp\\" or TargetFileName contains "\\Windows\\Temp\\") or TargetFilePath =~ "System" or TargetFileName contains "\\xampp")))Scenario: Scheduled Backup Job Creates Temp Files
Description: A scheduled backup job may create temporary files with .php or .asp extensions during the backup process.
Filter/Exclusion: Exclude files created by known backup tools (e.g., rsync, Veeam, Acronis) or within specific directories used for backups (e.g., /backup/, /tmp/).
Scenario: Admin Uploads Static Assets via FTP
Description: An administrator may upload static assets (e.g., images, CSS, or JavaScript files) to a static website using FTP, which could include files with suspicious extensions.
Filter/Exclusion: Exclude files uploaded via known FTP clients (e.g., FileZilla, WinSCP) or from specific user accounts with elevated privileges (e.g., admin, root).
Scenario: CI/CD Pipeline Deploys Static Files
Description: A CI/CD pipeline (e.g., GitHub Actions, Jenkins, GitLab CI) may generate or deploy files with .php or .js extensions as part of the deployment process.
Filter/Exclusion: Exclude files created within known CI/CD directories (e.g., /build/, /dist/) or from specific pipelines (e.g., github-actions, jenkins-deploy).
Scenario: Log File Rotation Creates Temporary Files
Description: Log rotation tools (e.g., logrotate, rsyslog) may create temporary files with extensions like .log, .tmp, or .php during the rotation process.
Filter/Exclusion: Exclude files in log directories (e.g., /var/log/, /tmp/) or files created by specific log rotation tools (e.g., logrotate, syslog-ng).
**Scenario: Developer