I would like to write a rule to detect if the file name & path are matching for china chopper webshells from below list. for entire csv
What is the best way to do please guide me with exact steps. I know we need create new rule under detections but i need exact steps like query filename or filepath et......
If this is in relation to the recent use of it with Hafnium’s back in March. Then you can use a rule that was already created,
Or you can use
This one directly reference China Chopper
sigma/win_webshell_detection.yml at master · SigmaHQ/sigma (github.com)
((process.parent.executable:(*\\\\w3wp.exe OR *\\\\php\\-cgi.exe OR
*\\\\nginx.exe OR *\\\\httpd.exe) OR process.parent.executable:(*\\\\apache* OR
*\\\\tomcat*)) AND (((process.command_line:(*\\ user\\ * OR *\\ use\\ * OR
*\\ group\\ *) AND process.executable:(*\\\\net.exe OR *\\\\net1.exe)) OR
(process.command_line:*\\ \\-n\\ * AND process.executable:*\\\\ping.exe) OR
process.command_line:(*&cd&echo* OR *cd\\ \\/d\\ *)) OR
(process.command_line:*\\ \\/node\\:* AND process.executable:*\\\\wmic.exe) OR
process.executable:(*\\\\whoami.exe OR *\\\\systeminfo.exe OR *\\\\quser.exe OR
*\\\\ipconfig.exe OR *\\\\pathping.exe OR *\\\\tracert.exe OR *\\\\netstat.exe OR
*\\\\schtasks.exe OR *\\\\vssadmin.exe OR *\\\\wevtutil.exe OR
*\\\\tasklist.exe) OR process.command_line:(*\\ Test\\-NetConnection\\ * OR
*dir\\ \\\\*)))
I just made it into a gist. ChinaChopper.ndjson (github.com)
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
But there's a generic way to detect webshells w/ Sigma rules that trigger on susp parent->child process relations @FireEye example China Chopper https://t.co/uPakffpbOv Rules https://t.co/Wet38TQIrv https://t.co/7c2nlFeVhV https://t.co/HdqeWZQjLa" / Twitter