Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
title: Webshell Hacking Activity Patterns
id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9
status: test
description: |
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
references:
- https://youtu.be/7aemGhaE9ds?t=641
author: Florian Roth (Nextron Systems)
date: 2022-03-17
modified: 2023-11-09
tags:
- attack.persistence
- attack.discovery
- attack.t1505.003
- attack.t1018
- attack.t1033
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
# Webserver
selection_webserver_image:
ParentImage|endswith:
- '\caddy.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\w3wp.exe'
- '\ws_tomcatservice.exe'
selection_webserver_characteristics_tomcat1:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentImage|contains:
- '-tomcat-'
- '\tomcat'
selection_webserver_characteristics_tomcat2:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
CommandLine|contains:
- 'catalina.jar'
- 'CATALINA_HOME'
# Suspicious child processes
selection_child_1:
# Process dumping
CommandLine|contains|all:
- 'rundll32'
- 'comsvcs'
selection_child_2:
# Winrar exfil
CommandLine|contains|all:
- ' -hp'
- ' a '
- ' -m'
selection_child_3:
# User add
CommandLine|contains|all:
- 'net'
- ' user '
- ' /add'
selection_child_4:
CommandLine|contains|all:
- 'net'
- ' localgroup '
- ' administrators '
- '/add'
selection_child_5:
Image|endswith:
# Credential stealing
- '\ntdsutil.exe'
# AD recon
- '\ldifde.exe'
- '\adfind.exe'
# Process dumping
- '\procdump.exe'
- '\Nanodump.exe'
# Destruction / ransom groups
- '\vssadmin.exe'
- '\fsutil.exe'
selection_child_6:
# SUspicious patterns
CommandLine|contains:
- ' -decode ' # Used with certutil
- ' -NoP ' # Often used in malicious PowerShell commands
- ' -W Hidden ' # Often used in malicious PowerShell commands
- ' /decode ' # Used with certutil
- ' /ticket:' # Rubeus
- ' sekurlsa' # Mimikatz
- '.dmp full' # Process dumping method apart from procdump
- '.downloadfile(' # PowerShell download command
- '.downloadstring(' # PowerShell download command
- 'FromBase64String' # PowerShell encoded payload
- 'process call create' # WMIC process creation
- 'reg save ' # save registry SAM - syskey extraction
- 'whoami /priv'
condition: 1 of selection_webserver_* and 1 of selection_child_*
falsepositives:
- Unlikely
level: high
imProcessCreate
| where (((ParentProcessName endswith "\\caddy.exe" or ParentProcessName endswith "\\httpd.exe" or ParentProcessName endswith "\\nginx.exe" or ParentProcessName endswith "\\php-cgi.exe" or ParentProcessName endswith "\\w3wp.exe" or ParentProcessName endswith "\\ws_tomcatservice.exe") or (ActingProcessName endswith "\\caddy.exe" or ActingProcessName endswith "\\httpd.exe" or ActingProcessName endswith "\\nginx.exe" or ActingProcessName endswith "\\php-cgi.exe" or ActingProcessName endswith "\\w3wp.exe" or ActingProcessName endswith "\\ws_tomcatservice.exe")) or (((ParentProcessName endswith "\\java.exe" or ParentProcessName endswith "\\javaw.exe") or (ActingProcessName endswith "\\java.exe" or ActingProcessName endswith "\\javaw.exe")) and ((ParentProcessName contains "-tomcat-" or ParentProcessName contains "\\tomcat") or (ActingProcessName contains "-tomcat-" or ActingProcessName contains "\\tomcat"))) or (((ParentProcessName endswith "\\java.exe" or ParentProcessName endswith "\\javaw.exe") or (ActingProcessName endswith "\\java.exe" or ActingProcessName endswith "\\javaw.exe")) and (TargetProcessCommandLine contains "catalina.jar" or TargetProcessCommandLine contains "CATALINA_HOME"))) and ((TargetProcessCommandLine contains "rundll32" and TargetProcessCommandLine contains "comsvcs") or (TargetProcessCommandLine contains " -hp" and TargetProcessCommandLine contains " a " and TargetProcessCommandLine contains " -m") or (TargetProcessCommandLine contains "net" and TargetProcessCommandLine contains " user " and TargetProcessCommandLine contains " /add") or (TargetProcessCommandLine contains "net" and TargetProcessCommandLine contains " localgroup " and TargetProcessCommandLine contains " administrators " and TargetProcessCommandLine contains "/add") or (TargetProcessName endswith "\\ntdsutil.exe" or TargetProcessName endswith "\\ldifde.exe" or TargetProcessName endswith "\\adfind.exe" or TargetProcessName endswith "\\procdump.exe" or TargetProcessName endswith "\\Nanodump.exe" or TargetProcessName endswith "\\vssadmin.exe" or TargetProcessName endswith "\\fsutil.exe") or (TargetProcessCommandLine contains " -decode " or TargetProcessCommandLine contains " -NoP " or TargetProcessCommandLine contains " -W Hidden " or TargetProcessCommandLine contains " /decode " or TargetProcessCommandLine contains " /ticket:" or TargetProcessCommandLine contains " sekurlsa" or TargetProcessCommandLine contains ".dmp full" or TargetProcessCommandLine contains ".downloadfile(" or TargetProcessCommandLine contains ".downloadstring(" or TargetProcessCommandLine contains "FromBase64String" or TargetProcessCommandLine contains "process call create" or TargetProcessCommandLine contains "reg save " or TargetProcessCommandLine contains "whoami /priv"))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |