This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

WebShell detections

Posted on 03-18-2024 04:34 PM
ravivittal
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello Experts, Can someone please provide some sample rules to detect WebShell detections?

In Essense are trying to look for events related to file creation, modification, or deletion, particularly in commonly targeted locations like web application root directories (e.g., /var/www/html). Focus on events involving executable files with unusual names or suspicious scripts.

0 3 60
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
tameri
Staff
Reply posted on --/--/---- --:-- AM

@ravivittal , did you check these rules?
https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/process_creati...

https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/process_creati...



Posted on --/--/---- --:-- AM
ravivittal
Bronze 5
Bronze 5
In response to tameri
Reply posted on --/--/---- --:-- AM

Thank you, let me test this and circle back. Apprecaite the quick ressponse!

0 Likes

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

Those are some decent places to start regarding the different places a webshell might manifest itself.

From there using something like this to associated the webshell to the endpoint behavior might be appropriate. This will likely require some tuning but the network event has to occur before the endpoint (in theory), the endpoint principal should be the webshell network logging target and we are looking for process launch and file creation events (or others). From there you could use the endpoint event variable to carve down further on weird stuff and then set your match window accordingly on that common IP address.

  

   $endpoint.metadata.event_type = "PROCESS_LAUNCH" or $endpoint.metadata.event_type = "FILE_CREATION"
   $endpoint.principal.ip = $network.target.ip
   $endpoint.metadata.event_timestamp.seconds  < $network.metadata.event_timestamp.seconds

 

Top Solution Authors
View all