Deployable detection rules
2 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
2 shown of 2Windows Potential Web Shell Creation For VMware Workspace ONE
This analytic looks for evidence of web shells being created in the VMware Workspace ONE path on Windows or Linux systems, which has been actively exploited by attackers via CVE-2022-22954.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Filesystem where
Filesystem.file_path IN (
"*/vmware/horizon/workspace/webapps/*",
"*\\vmware\\horizon\\workspace\\webapps\\*"
)
Filesystem.file_path="*.jsp"
by Filesystem.dest Filesystem.file_create_time Filesystem.process_path
Filesystem.process_guid Filesystem.process_id Filesystem.file_path Filesystem.file_name
Filesystem.user Filesystem.vendor_product Filesystem.action
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_potential_web_shell_creation_for_vmware_workspace_one_filter`Windows Suspicious Child Process Spawned From WebServer
The following analytic identifies the execution of suspicious processes typically associated with WebShell activity on web servers. It detects when processes like `cmd.exe`, `powershell.exe`, or `bash.exe` are spawned by web server processes such as `w3wp.exe` or `nginx.exe`. This behavior is significant as it may indicate an adversary exploiting a web application vulnerability to install a WebShell, providing persistent access and command execution capabilities. If confirmed malicious, this activity could allow attackers to maintain control over the compromised server, execute arbitrary commands, and potentially escalate privileges or exfiltrate sensitive data.
Show query
| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process_name IN ("arp.exe","at.exe","bash.exe","bitsadmin.exe","certutil.exe","cmd.exe","cscript.exe", "dsget.exe","dsquery.exe","find.exe","findstr.exe","fsutil.exe","hostname.exe","ipconfig.exe","ksh.exe","nbstat.exe", "net.exe","net1.exe","netdom.exe","netsh.exe","netstat.exe","nltest.exe","nslookup.exe","ntdsutil.exe","pathping.exe", "ping.exe","powershell.exe","pwsh.exe","qprocess.exe","query.exe","qwinsta.exe","reg.exe","rundll32.exe","sc.exe", "scrcons.exe","schtasks.exe","sh.exe","systeminfo.exe","tasklist.exe","tracert.exe","ver.exe","vssadmin.exe", "wevtutil.exe","whoami.exe","wmic.exe","wscript.exe","wusa.exe","zsh.exe")
AND
Processes.parent_process_name IN ("w3wp.exe", "http*.exe", "nginx*.exe", "php*.exe", "php-cgi*.exe","tomcat*.exe")
)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_suspicious_child_process_spawned_from_webserver_filter`Showing 1-2 of 2