How to write a kibana rule with filename

I would like to write a rule to detect if the file name & path are matching for china chopper webshells from below list. for entire csv

What is the best way to do please guide me with exact steps. I know we need create new rule under detections but i need exact steps like query filename or filepath et......

If this is in relation to the recent use of it with Hafnium’s back in March. Then you can use a rule that was already created,

Or you can use

This one directly reference China Chopper

sigma/win_webshell_detection.yml at master · SigmaHQ/sigma (

((process.parent.executable:(*\\\\w3wp.exe OR *\\\\php\\-cgi.exe OR 
*\\\\nginx.exe OR *\\\\httpd.exe) OR process.parent.executable:(*\\\\apache* OR 
*\\\\tomcat*)) AND (((process.command_line:(*\\ user\\ * OR *\\ use\\ * OR 
*\\ group\\ *) AND process.executable:(*\\\\net.exe OR *\\\\net1.exe)) OR 
(process.command_line:*\\ \\-n\\ * AND process.executable:*\\\\ping.exe) OR 
process.command_line:(*&cd&echo* OR *cd\\ \\/d\\ *)) OR 
(process.command_line:*\\ \\/node\\:* AND process.executable:*\\\\wmic.exe) OR 
process.executable:(*\\\\whoami.exe OR *\\\\systeminfo.exe OR *\\\\quser.exe OR 
*\\\\ipconfig.exe OR *\\\\pathping.exe OR *\\\\tracert.exe OR *\\\\netstat.exe OR 
*\\\\schtasks.exe OR *\\\\vssadmin.exe OR *\\\\wevtutil.exe OR 
*\\\\tasklist.exe) OR process.command_line:(*\\ Test\\-NetConnection\\ * OR 
*dir\\ \\\\*)))

I just made it into a gist. ChinaChopper.ndjson (

Florian Roth on Twitter: "It may be hard to detect #Webshells in your Sandbox :upside_down_face: But there's a generic way to detect webshells w/ Sigma rules that trigger on susp parent->child process relations @FireEye example China Chopper Rules" / Twitter

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.