Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
status testauthor Max Altgelt (Nextron Systems)id b7bc7038-638b-4ffd-880c-292c692209ef
view Sigma YAML
title: Certificate Request Export to Exchange Webserver
id: b7bc7038-638b-4ffd-880c-292c692209ef
status: test
description: Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
references:
- https://twitter.com/GossiTheDog/status/1429175908905127938
author: Max Altgelt (Nextron Systems)
date: 2021-08-23
modified: 2023-01-23
tags:
- attack.persistence
- attack.t1505.003
logsource:
service: msexchange-management
product: windows
detection:
keywords_export_command:
'|all':
- 'New-ExchangeCertificate'
- ' -GenerateRequest'
- ' -BinaryEncoded'
- ' -RequestFile'
keywords_export_params:
- '\\\\localhost\\C$'
- '\\\\127.0.0.1\\C$'
- 'C:\\inetpub'
- '.aspx'
condition: keywords_export_command and keywords_export_params
falsepositives:
- Unlikely
level: critical
critical
Mailbox Export to Exchange Webserver
Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
status testauthor Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems)id 516376b4-05cd-4122-bae0-ad7641c38d48
view Sigma YAML
title: Mailbox Export to Exchange Webserver
id: 516376b4-05cd-4122-bae0-ad7641c38d48
status: test
description: Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
references:
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
author: Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems)
date: 2021-08-09
modified: 2023-04-30
tags:
- attack.persistence
- attack.t1505.003
logsource:
service: msexchange-management
product: windows
detection:
export_command:
'|all':
- 'New-MailboxExportRequest'
- ' -Mailbox '
export_params:
- '-FilePath "\\\\' # We care about any share location.
- '.aspx'
role_assignment:
'|all':
- 'New-ManagementRoleAssignment'
- ' -Role "Mailbox Import Export"'
- ' -User '
condition: (export_command and export_params) or role_assignment
falsepositives:
- Unlikely
level: critical
critical
Webshell Remote Command Execution
Detects possible command execution by web application/web shell
status testauthor Ilyas Ochkov, Beyu Denis, oscd.communityid c0d3734d-330f-4a03-aae2-65dacc6a8222
view Sigma YAML
title: Webshell Remote Command Execution
id: c0d3734d-330f-4a03-aae2-65dacc6a8222
status: test
description: Detects possible command execution by web application/web shell
references:
- Personal Experience of the Author
- https://www.vaadata.com/blog/what-is-command-injection-exploitations-and-security-best-practices/
author: Ilyas Ochkov, Beyu Denis, oscd.community
date: 2019-10-12
modified: 2025-12-05
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: linux
service: auditd
definition: |
Required auditd configuration:
-a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www
-a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www
-a always,exit -F arch=b32 -S execveat -F euid=33 -k detect_execve_www
-a always,exit -F arch=b64 -S execveat -F euid=33 -k detect_execve_www
Change the number "33" to the ID of your WebServer user. Default: www-data:x:33:33
detection:
selection:
type: 'SYSCALL'
SYSCALL:
- 'execve'
- 'execveat'
euid: 33
condition: selection
falsepositives:
- Admin activity
- Crazy web applications
level: critical
high
Antivirus Web Shell Detection
Detects a highly relevant Antivirus alert that reports a web shell.
It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
status testauthor Florian Roth (Nextron Systems), Arnim Ruppid fdf135a2-9241-4f96-a114-bb404948f736
view Sigma YAML
title: Antivirus Web Shell Detection
id: fdf135a2-9241-4f96-a114-bb404948f736
status: test
description: |
Detects a highly relevant Antivirus alert that reports a web shell.
It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://github.com/tennc/webshell
- https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
- https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
- https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
- https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
- https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
- https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
- https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
- https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: antivirus
detection:
selection:
- Signature|startswith:
- 'ASP.'
- 'IIS/BackDoor'
- 'JAVA/Backdoor'
- 'JSP.'
- 'Perl.'
- 'PHP.'
- 'Troj/ASP'
- 'Troj/JSP'
- 'Troj/PHP'
- 'VBS/Uxor' # looking for 'VBS/' would also find downloader's and droppers meant for desktops
- Signature|contains:
- 'ASP_' # looking for 'VBS_' would also find downloader's and droppers meant for desktops
- 'ASP:'
- 'ASP.Agent'
- 'ASP/'
# - 'ASP/Agent'
- 'Aspdoor'
- 'ASPXSpy'
- 'Backdoor.ASP'
- 'Backdoor.Java'
- 'Backdoor.JSP'
- 'Backdoor.PHP'
- 'Backdoor.VBS'
- 'Backdoor/ASP'
- 'Backdoor/Java'
- 'Backdoor/JSP'
- 'Backdoor/PHP'
- 'Backdoor/VBS'
- 'C99shell'
- 'Chopper'
- 'filebrowser'
- 'JSP_'
- 'JSP:'
- 'JSP.Agent'
- 'JSP/'
# - 'JSP/Agent'
- 'Perl:'
- 'Perl/'
- 'PHP_'
- 'PHP:'
- 'PHP.Agent'
- 'PHP/'
# - 'PHP/Agent'
- 'PHPShell'
- 'PShlSpy'
- 'SinoChoper'
- 'Trojan.ASP'
- 'Trojan.JSP'
- 'Trojan.PHP'
- 'Trojan.VBS'
- 'VBS.Agent'
- 'VBS/Agent'
- 'Webshell'
condition: selection
falsepositives:
- Unlikely
level: high
high
Chopper Webshell Process Pattern
Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
status testauthor Florian Roth (Nextron Systems), MSTI (query)id fa3c117a-bc0d-416e-a31b-0c0e80653efb
view Sigma YAML
title: Chopper Webshell Process Pattern
id: fa3c117a-bc0d-416e-a31b-0c0e80653efb
status: test
description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
references:
- https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
author: Florian Roth (Nextron Systems), MSTI (query)
date: 2022-10-01
tags:
- attack.persistence
- attack.discovery
- attack.t1505.003
- attack.t1018
- attack.t1033
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
selection_origin:
- Image|endswith: '\w3wp.exe'
- ParentImage|endswith: '\w3wp.exe'
selection_cmdline:
CommandLine|contains:
- '&ipconfig&echo'
- '&quser&echo'
- '&whoami&echo'
- '&c:&echo'
- '&cd&echo'
- '&dir&echo'
- '&echo [E]'
- '&echo [S]'
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
Exchange Set OabVirtualDirectory ExternalUrl Property
Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log
status testauthor Jose Rodriguez @Cyb3rPandaHid 9db37458-4df2-46a5-95ab-307e7f29e675
view Sigma YAML
title: Exchange Set OabVirtualDirectory ExternalUrl Property
id: 9db37458-4df2-46a5-95ab-307e7f29e675
status: test
description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log
references:
- https://twitter.com/OTR_Community/status/1371053369071132675
author: Jose Rodriguez @Cyb3rPandaH
date: 2021-03-15
modified: 2023-01-23
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: windows
service: msexchange-management
detection:
keywords:
'|all':
- 'Set-OabVirtualDirectory'
- 'ExternalUrl'
- 'Page_Load'
- 'script'
condition: keywords
falsepositives:
- Unknown
level: high
high
Linux Webshell Indicators
Detects suspicious sub processes of web server processes
Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
status testauthor Florian Roth (Nextron Systems), MSTI (query, idea)id bd1212e5-78da-431e-95fa-c58e3237a8e6
view Sigma YAML
title: Suspicious ASPX File Drop by Exchange
id: bd1212e5-78da-431e-95fa-c58e3237a8e6
related:
- id: 6b269392-9eba-40b5-acb6-55c882b20ba6
type: similar
status: test
description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
references:
- https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
- https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
- https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
author: Florian Roth (Nextron Systems), MSTI (query, idea)
date: 2022-10-01
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\w3wp.exe'
CommandLine|contains: 'MSExchange'
TargetFilename|contains:
- 'FrontEnd\HttpProxy\' # from GTSC and MSTI reports
- '\inetpub\wwwroot\aspnet_client\' # from GTSC report
selection_types:
TargetFilename|endswith:
- '.aspx'
- '.asp'
- '.ashx'
condition: all of selection*
falsepositives:
- Unknown
level: high
high
Suspicious Child Process Of SQL Server
Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
status testauthor FPT.EagleEye Team, waggaid 869b9ca7-9ea2-4a5a-8325-e80e62f75445
view Sigma YAML
title: Suspicious Child Process Of SQL Server
id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
related:
- id: 344482e4-a477-436c-aa70-7536d18a48c7
type: obsolete
status: test
description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
references:
- Internal Research
author: FPT.EagleEye Team, wagga
date: 2020-12-11
modified: 2023-05-04
tags:
- attack.t1505.003
- attack.t1190
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\sqlservr.exe'
Image|endswith:
# You can add other uncommon or suspicious processes
- '\bash.exe'
- '\bitsadmin.exe'
- '\cmd.exe'
- '\netstat.exe'
- '\nltest.exe'
- '\ping.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\sh.exe'
- '\systeminfo.exe'
- '\tasklist.exe'
- '\wsl.exe'
filter_optional_datev:
ParentImage|startswith: 'C:\Program Files\Microsoft SQL Server\'
ParentImage|endswith: 'DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe'
Image: 'C:\Windows\System32\cmd.exe'
CommandLine|startswith: '"C:\Windows\system32\cmd.exe" '
condition: selection and not 1 of filter_optional_*
level: high
high
Suspicious File Write to SharePoint Layouts Directory
Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation.
This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id 1f0489be-b496-4ddf-b3a9-5900f2044e9c
view Sigma YAML
title: Suspicious File Write to SharePoint Layouts Directory
id: 1f0489be-b496-4ddf-b3a9-5900f2044e9c
status: experimental
description: |
Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation.
This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
references:
- https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-24
tags:
- attack.initial-access
- attack.t1190
- attack.persistence
- attack.t1505.003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\w3wp.exe'
TargetFilename|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\'
- 'C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\'
TargetFilename|contains:
- '\15\TEMPLATE\LAYOUTS\'
- '\16\TEMPLATE\LAYOUTS\'
TargetFilename|endswith:
- '.asax'
- '.ascx'
- '.ashx'
- '.asmx'
- '.asp'
- '.aspx'
- '.bat'
- '.cmd'
- '.cer'
- '.config'
- '.hta'
- '.js'
- '.jsp'
- '.jspx'
- '.php'
- '.ps1'
- '.vbs'
condition: selection
falsepositives:
- Unknown
level: high
Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
status testauthor Florian Roth (Nextron Systems)id 7280c9f3-a5af-45d0-916a-bc01cb4151c9
view Sigma YAML
title: Suspicious MSExchangeMailboxReplication ASPX Write
id: 7280c9f3-a5af-45d0-916a-bc01cb4151c9
status: test
description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
references:
- https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-25
tags:
- attack.initial-access
- attack.t1190
- attack.persistence
- attack.t1505.003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\MSExchangeMailboxReplication.exe'
TargetFilename|endswith:
- '.aspx'
- '.asp'
condition: selection
falsepositives:
- Unknown
level: high
high
Suspicious Process By Web Server Process
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
status testauthor Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)id 8202070f-edeb-4d31-a010-a26c72ac5600
view Sigma YAML
title: Suspicious Process By Web Server Process
id: 8202070f-edeb-4d31-a010-a26c72ac5600
status: test
description: |
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
references:
- https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2024-11-26
tags:
- attack.persistence
- attack.initial-access
- attack.t1505.003
- attack.t1190
logsource:
category: process_creation
product: windows
detection:
selection_webserver_image:
ParentImage|endswith:
- '\caddy.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\php.exe'
- '\tomcat.exe'
- '\UMWorkerProcess.exe' # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
- '\w3wp.exe'
- '\ws_TomcatService.exe'
selection_webserver_characteristics_tomcat1:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentImage|contains:
- '-tomcat-'
- '\tomcat'
selection_webserver_characteristics_tomcat2:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentCommandLine|contains:
- 'CATALINA_HOME'
- 'catalina.home'
- 'catalina.jar'
selection_anomaly_children:
Image|endswith:
- '\arp.exe'
- '\at.exe'
- '\bash.exe'
- '\bitsadmin.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\dsget.exe'
- '\hostname.exe'
- '\nbtstat.exe'
- '\net.exe'
- '\net1.exe'
- '\netdom.exe'
- '\netsh.exe'
- '\nltest.exe'
- '\ntdsutil.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\qprocess.exe'
- '\query.exe'
- '\qwinsta.exe'
- '\reg.exe'
- '\rundll32.exe'
- '\sc.exe'
- '\sh.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wusa.exe'
filter_main_fp_1:
ParentImage|endswith: '\java.exe'
CommandLine|endswith: 'Windows\system32\cmd.exe /c C:\ManageEngine\ADManager "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt'
filter_main_fp_2:
ParentImage|endswith: '\java.exe'
CommandLine|contains|all:
- 'sc query'
- 'ADManager Plus'
condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_*
falsepositives:
- Particular web applications may spawn a shell process legitimately
level: high
high
Suspicious Windows Strings In URI
Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication
status testauthor Nasreddine Bencherchali (Nextron Systems)id 9f6a34b4-2688-4eb7-a7f5-e39fef573d0e
view Sigma YAML
title: Suspicious Windows Strings In URI
id: 9f6a34b4-2688-4eb7-a7f5-e39fef573d0e
status: test
description: Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication
references:
- https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-06
modified: 2023-01-02
tags:
- attack.persistence
- attack.exfiltration
- attack.t1505.003
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '=C:/Users'
- '=C:/Program%20Files'
- '=C:/Windows'
- '=C%3A%5CUsers'
- '=C%3A%5CProgram%20Files'
- '=C%3A%5CWindows'
condition: selection
falsepositives:
- Legitimate application and websites that use windows paths in their URL
level: high
high
Webshell Detection With Command Line Keywords
Detects certain command line parameters often used during reconnaissance activity via web shells
status testauthor Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Andersonid bed2a484-9348-4143-8a8a-b801c979301c
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
status testauthor Florian Roth (Nextron Systems)id 4ebc877f-4612-45cb-b3a5-8e3834db36c9
view Sigma YAML
title: Webshell Hacking Activity Patterns
id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9
status: test
description: |
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
references:
- https://youtu.be/7aemGhaE9ds?t=641
author: Florian Roth (Nextron Systems)
date: 2022-03-17
modified: 2023-11-09
tags:
- attack.persistence
- attack.discovery
- attack.t1505.003
- attack.t1018
- attack.t1033
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
# Webserver
selection_webserver_image:
ParentImage|endswith:
- '\caddy.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\w3wp.exe'
- '\ws_tomcatservice.exe'
selection_webserver_characteristics_tomcat1:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentImage|contains:
- '-tomcat-'
- '\tomcat'
selection_webserver_characteristics_tomcat2:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
CommandLine|contains:
- 'catalina.jar'
- 'CATALINA_HOME'
# Suspicious child processes
selection_child_1:
# Process dumping
CommandLine|contains|all:
- 'rundll32'
- 'comsvcs'
selection_child_2:
# Winrar exfil
CommandLine|contains|all:
- ' -hp'
- ' a '
- ' -m'
selection_child_3:
# User add
CommandLine|contains|all:
- 'net'
- ' user '
- ' /add'
selection_child_4:
CommandLine|contains|all:
- 'net'
- ' localgroup '
- ' administrators '
- '/add'
selection_child_5:
Image|endswith:
# Credential stealing
- '\ntdsutil.exe'
# AD recon
- '\ldifde.exe'
- '\adfind.exe'
# Process dumping
- '\procdump.exe'
- '\Nanodump.exe'
# Destruction / ransom groups
- '\vssadmin.exe'
- '\fsutil.exe'
selection_child_6:
# SUspicious patterns
CommandLine|contains:
- ' -decode ' # Used with certutil
- ' -NoP ' # Often used in malicious PowerShell commands
- ' -W Hidden ' # Often used in malicious PowerShell commands
- ' /decode ' # Used with certutil
- ' /ticket:' # Rubeus
- ' sekurlsa' # Mimikatz
- '.dmp full' # Process dumping method apart from procdump
- '.downloadfile(' # PowerShell download command
- '.downloadstring(' # PowerShell download command
- 'FromBase64String' # PowerShell encoded payload
- 'process call create' # WMIC process creation
- 'reg save ' # save registry SAM - syskey extraction
- 'whoami /priv'
condition: 1 of selection_webserver_* and 1 of selection_child_*
falsepositives:
- Unlikely
level: high
high
Webshell ReGeorg Detection Via Web Logs
Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.
status testauthor Cian Heasleyid 2ea44a60-cfda-11ea-87d0-0242ac130003
view Sigma YAML
title: Webshell ReGeorg Detection Via Web Logs
id: 2ea44a60-cfda-11ea-87d0-0242ac130003
status: test
description: Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.
references:
- https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3
- https://github.com/sensepost/reGeorg
author: Cian Heasley
date: 2020-08-04
modified: 2023-01-02
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'cmd=read'
- 'connect&target'
- 'cmd=connect'
- 'cmd=disconnect'
- 'cmd=forward'
filter:
cs-referer: null
cs-user-agent: null
cs-method: POST
condition: selection and filter
falsepositives:
- Web applications that use the same URL parameters as ReGeorg
level: high
high
Webshell Tool Reconnaissance Activity
Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
status testauthor Cian Heasley, Florian Roth (Nextron Systems)id f64e5c19-879c-4bae-b471-6d84c8339677
view Sigma YAML
title: Webshell Tool Reconnaissance Activity
id: f64e5c19-879c-4bae-b471-6d84c8339677
status: test
description: |
Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
references:
- https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html
author: Cian Heasley, Florian Roth (Nextron Systems)
date: 2020-07-22
modified: 2023-11-09
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: process_creation
product: windows
detection:
selection_webserver_image:
ParentImage|endswith:
- '\caddy.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\w3wp.exe'
- '\ws_tomcatservice.exe'
selection_webserver_characteristics_tomcat1:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentImage|contains:
- '-tomcat-'
- '\tomcat'
selection_webserver_characteristics_tomcat2:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
CommandLine|contains:
- 'CATALINA_HOME'
- 'catalina.jar'
selection_recon:
CommandLine|contains:
- 'perl --help'
- 'perl -h'
- 'python --help'
- 'python -h'
- 'python3 --help'
- 'python3 -h'
- 'wget --help'
condition: 1 of selection_webserver_* and selection_recon
falsepositives:
- Unknown
level: high
title: Windows Webshell Strings
id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729
status: test
description: Detects common commands used in Windows webshells
references:
- https://bad-jubies.github.io/RCE-NOW-WHAT/
- https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-02-19
modified: 2022-11-18
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: webserver
detection:
selection_method:
cs-method: 'GET'
selection_keywords:
# The "%20" is URL encoded version of the space
# The "%2B" is URL encoded version of the "+"
- '=whoami'
- '=net%20user'
- '=net+user'
- '=net%2Buser'
- '=cmd%20/c%'
- '=cmd+/c+'
- '=cmd%2B/c%'
- '=cmd%20/r%'
- '=cmd+/r+'
- '=cmd%2B/r%'
- '=cmd%20/k%'
- '=cmd+/k+'
- '=cmd%2B/k%'
- '=powershell%'
- '=powershell+'
- '=tasklist%'
- '=tasklist+'
- '=wmic%'
- '=wmic+'
- '=ssh%'
- '=ssh+'
- '=python%'
- '=python+'
- '=python3%'
- '=python3+'
- '=ipconfig'
- '=wget%'
- '=wget+'
- '=curl%'
- '=curl+'
- '=certutil'
- '=copy%20%5C%5C'
- '=dsquery%'
- '=dsquery+'
- '=nltest%'
- '=nltest+'
condition: all of selection_*
falsepositives:
- Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
- User searches in search boxes of the respective website
level: high
medium
IIS Native-Code Module Command Line Installation
Detects suspicious IIS native-code module installations via command line
status testauthor Florian Roth (Nextron Systems)id 9465ddf4-f9e4-4ebd-8d98-702df3a93239
view Sigma YAML
title: IIS Native-Code Module Command Line Installation
id: 9465ddf4-f9e4-4ebd-8d98-702df3a93239
status: test
description: Detects suspicious IIS native-code module installations via command line
references:
- https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
- https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
author: Florian Roth (Nextron Systems)
date: 2019-12-11
modified: 2024-03-13
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\appcmd.exe'
- OriginalFileName: 'appcmd.exe'
selection_cli:
CommandLine|contains|all:
- 'install'
- 'module'
CommandLine|contains|windash: '-name:'
filter_iis_setup:
ParentImage: 'C:\Windows\System32\inetsrv\iissetup.exe'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown as it may vary from organisation to organisation how admins use to install IIS modules
level: medium
medium
Potential Webshell Creation On Static Website
Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
status testauthor Beyu Denis, oscd.community, Tim Shelton, Thurein Ooid 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
view Sigma YAML
title: Potential Webshell Creation On Static Website
id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
status: test
description: Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
references:
- PT ESC rule and personal experience
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md
author: Beyu Denis, oscd.community, Tim Shelton, Thurein Oo
date: 2019-10-22
modified: 2023-10-15
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: windows
category: file_event
detection:
selection_wwwroot_path:
TargetFilename|contains: '\inetpub\wwwroot\'
selection_wwwroot_ext:
TargetFilename|contains:
- '.ashx'
- '.asp'
- '.ph'
- '.soap'
selection_htdocs_path:
TargetFilename|contains:
- '\www\'
- '\htdocs\'
- '\html\'
selection_htdocs_ext:
TargetFilename|contains: '.ph'
# selection_tomcat_path:
# TargetFilename|contains: '\webapps\ROOT'
# selection_tomcat_ext:
# TargetFilename|contains:
# - '.jsp' # .jspx, .jspf
# - '.jsv'
# - '.jsw'
filter_main_temp: # FP when unpacking some executables in $TEMP
TargetFilename|contains:
- '\AppData\Local\Temp\'
- '\Windows\Temp\'
filter_main_system:
Image: 'System' # FP when backup/restore from drivers
filter_main_legitimate:
TargetFilename|contains: '\xampp'
condition: (all of selection_wwwroot_* or all of selection_htdocs_*) and not 1 of filter_main_*
falsepositives:
- Legitimate administrator or developer creating legitimate executable files in a web application folder
level: medium
medium
Suspicious File Drop by Exchange
Detects suspicious file type dropped by an Exchange component in IIS
status testauthor Florian Roth (Nextron Systems)id 6b269392-9eba-40b5-acb6-55c882b20ba6
view Sigma YAML
title: Suspicious File Drop by Exchange
id: 6b269392-9eba-40b5-acb6-55c882b20ba6
related:
- id: bd1212e5-78da-431e-95fa-c58e3237a8e6
type: similar
status: test
description: Detects suspicious file type dropped by an Exchange component in IIS
references:
- https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
- https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
- https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
author: Florian Roth (Nextron Systems)
date: 2022-10-04
tags:
- attack.persistence
- attack.t1190
- attack.initial-access
- attack.t1505.003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\w3wp.exe'
CommandLine|contains: 'MSExchange'
selection_types:
TargetFilename|endswith:
- '.aspx'
- '.asp'
- '.ashx'
- '.ps1'
- '.bat'
- '.exe'
- '.dll'
- '.vbs'
condition: all of selection*
falsepositives:
- Unknown
level: medium
medium
Suspicious File Write to Webapps Root Directory
Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers.
This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id 89c42960-f244-4dad-9151-ae9b1a3287a2
view Sigma YAML
title: Suspicious File Write to Webapps Root Directory
id: 89c42960-f244-4dad-9151-ae9b1a3287a2
status: experimental
description: |
Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers.
This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.
references:
- https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-20
tags:
- attack.persistence
- attack.t1505.003
- attack.initial-access
- attack.t1190
logsource:
product: windows
category: file_event
detection:
# Add more suspicious processes or paths or extensions as needed
selection_susp_img:
Image|endswith:
- '\dotnet.exe'
- '\w3wp.exe'
- '\java.exe'
selection_servers:
TargetFilename|contains:
- '\apache'
- '\tomcat'
selection_path:
TargetFilename|contains: '\webapps\ROOT\'
selection_susp_extensions:
TargetFilename|endswith: '.jsp'
condition: all of selection_*
falsepositives:
- Unknown
level: medium