Techniques
Sample rules
Webshell ReGeorg Detection Via Web Logs
- source: sigma
- technicques:
- t1505
- t1505.003
Description
Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.
Detection logic
condition: selection and filter
filter:
cs-method: POST
cs-referer: null
cs-user-agent: null
selection:
cs-uri-query|contains:
- cmd=read
- connect&target
- cmd=connect
- cmd=disconnect
- cmd=forward