[Update Rule] Rename rule ttp_windows_potential_sharpyshell_webshell_execution #155
Description
Rule URL
Description
The mentioned rule only check if a command-line is launched from a web server application. This behavior is generic webshell activity not specifically tied to SharPyShell.
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.process.file.full_path = /(^|\\)(w3wp.exe|httpd.exe|tomcat.exe|tomcat\d+\.exe)$/ nocase
$e.target.process.command_line = /^"[A-Za-z]:\\.{16}\\cmd\.exe" \/c [^"][^:]/ nocase
$e.target.process.command_line = /^"c:\\windows\\system32\\cmd\.exe" \/c/ nocase
The change rename the rule from ttp_windows_potential_sharpyshell_webshell_execution.yaral to ttp_windows_webserver_process_potential_webshell_execution
Test Data
metadata: {
event_type: PROCESS_LAUNCH
event_timestamp: {
seconds: 1736539873
}
ingested_timestamp: {
seconds: 1736539873
}
}
principal: {
process: {
file: {
full_path: "w3wp.exe"
}
}
}
target: {
process: {
pid: "1234"
file: {
full_path: "cmd.exe"
}
command_line: ""C:\Windows\System32\cmd.exe" /c powershell -EncodedCommand JABiACAAPQAgACIAUABDAFYAQQBJAEUAbAB0AGMARwA5AHkAZABDAEIATwBZAFcAMQBsAGMAMwBCAGgAW"
}
}