Techniques
Sample rules
Windows Webshell Strings
- source: sigma
- technicques:
- t1505
- t1505.003
Description
Detects common commands used in Windows webshells
Detection logic
condition: all of selection_*
selection_keywords:
- =whoami
- =net%20user
- =net+user
- =net%2Buser
- =cmd%20/c%
- =cmd+/c+
- =cmd%2B/c%
- =cmd%20/r%
- =cmd+/r+
- =cmd%2B/r%
- =cmd%20/k%
- =cmd+/k+
- =cmd%2B/k%
- =powershell%
- =powershell+
- =tasklist%
- =tasklist+
- =wmic%
- =wmic+
- =ssh%
- =ssh+
- =python%
- =python+
- =python3%
- =python3+
- =ipconfig
- =wget%
- =wget+
- =curl%
- =curl+
- =certutil
- =copy%20%5C%5C
- =dsquery%
- =dsquery+
- =nltest%
- =nltest+
selection_method:
cs-method: GET