T1505.003 IISWebshellFileWrites

T1505.003 - IIS webshell file writes

DESCRIPTION

Detects IIS file writes that may be web shells. Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network.

Example:

NA

Related

Common Persistance

Reference:

https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web%20Shells%20Threat%20Protection/Hunting%20Queries/Possible%20webshell%20drop.yaml

ATT&CK TACTICS

T1505.003 - Server Software Component: Web Shell

Data Source(s): Process

SENTINEL RULE QUERY

let ExtensionList = pack_array('asp','aspx','aar','ascx','ashx','asmx','c','cfm','cgi','jsp','jspx','php','pl','exe','jsp','jar','py','ps1','psm1','cmd','psd1','java','wsf','vbs');
let IncludeTemp = false; // whether to include files that contain \temp\ in their path
DeviceFileEvents
| where ActionType in ('FileCreated', 'FileRenamed', 'FileModified')
| where InitiatingProcessFileName in~('w3wp.exe','httpd.exe') 
| where FolderPath contains @'\inetpub\wwwroot\'
| where (IncludeTemp or FolderPath  !contains @'\temp\')
| extend extension = tolower(tostring(split(FileName,'.')[-1]))
| where extension in (ExtensionList)  

Triage

1. Examine the file and the folder locations, whether it belongs there.
2. When it's not expected, download file sample and analysed
3. Inspect network traffic to potential web shells. Most webshells take commands via POSTs. Successfull commands are met with a "200"

FalsePositive

1. Legitimate web-application generated a file.

VERSION

Version 1.1 (date: 30/10/2023)