Webshell Detection Suspicious Children

Rule Info

Name
Webshell Detection Suspicious Children
Description
Detects certain children of web server processes based on image name and command line contents
Reference
https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
Modified
None
Date
2022-03-22 00:00:00
Author
Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community
Tags
attack.persistence attack.t1018 attack.t1087 attack.t1505.003 attack.t1033
Id
9a8e8057-32a7-432d-bf80-197dacf1a77f
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022