Techniques
Sample rules
Potential Webshell Creation On Static Website
- source: sigma
- technicques:
- t1505
- t1505.003
Description
Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
Detection logic
condition: (all of selection_wwwroot_* or all of selection_htdocs_*) and not 1 of
filter_main_*
filter_main_legitimate:
TargetFilename|contains: \xampp
filter_main_system:
Image: System
filter_main_temp:
TargetFilename|contains:
- \AppData\Local\Temp\
- \Windows\Temp\
selection_htdocs_ext:
TargetFilename|contains: .ph
selection_htdocs_path:
TargetFilename|contains:
- \www\
- \htdocs\
- \html\
selection_wwwroot_ext:
TargetFilename|contains:
- .ashx
- .asp
- .ph
- .soap
selection_wwwroot_path:
TargetFilename|contains: \inetpub\wwwroot\