Skip to content

T1505.003 WindowsWebshellCreation

T1505.003 - Windows Webshell Creation

DESCRIPTION

Possible webshell file creation on a static web site.

Reference:

https://github.com/SigmaHQ/sigma/blob/bd4542448564d8c9bbdac8a6b32b3975af153772/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml

Related

Common Persistence - Windows

ATT&CK TACTICS

T1505.003 - Server Software Component: Web Shell

Data Source(s): File

SENTINEL RULE QUERY

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
let selection_wwwroot = @"\inetpub\wwwroot\";
let selection_ext1 = dynamic(['.asp','.ashx','.ph']);
let selection_static = dynamic(["\\www\\", "\\htdocs\\", "\\html\\"]);
let selection_ext2 = ".ph";
let false_positive1 = dynamic(['\\AppData\\Local\\Temp\\', '\\Windows\\Temp\\']); //false positives when unpacking some executables in $TEMP
let false_positive_system = "System"; //backup or restore from drivers
let false_positive_legitimate = dynamic(["\\xampp","\\QGIS"]);
DeviceFileEvents //SOC-748162
| where ActionType == "FileCreated" //Modification to filter only file creation
| where (FolderPath contains selection_wwwroot and FolderPath has_any (selection_ext1)) or (FolderPath has_any (selection_static) and FolderPath endswith selection_ext2)
| where not(FolderPath has_any (false_positive1) or InitiatingProcessFolderPath == false_positive_system or FolderPath has_any (false_positive_legitimate))

Triage

  1. Verify the FolderPath and FileName for any suspicious activity
  2. Verify parent process, and process that spawned the file inside the FolderPath directory
  3. Check SHA256 if required.

False Positive

  1. Legitimate administrator or developer creating legitimate executable files in a web application folder.

VERSION

Version 1.0 (date: 21/09/2023)