Webshell Detection Suspicious Children

Rule Info

Name
Webshell Detection Suspicious Children
Author
Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community
Description
Detects certain children of web server processes based on image name and command line contents
Reference
https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
Date
2022-03-22 00:00:00
Modified
None
Id
9a8e8057-32a7-432d-bf80-197dacf1a77f
Tags
attack.persistence attack.t1505.003 attack.t1018 attack.t1033 attack.t1087
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022