|
| 1 | +[metadata] |
| 2 | +creation_date = "2025/07/24" |
| 3 | +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] |
| 4 | +maturity = "production" |
| 5 | +updated_date = "2025/07/24" |
| 6 | + |
| 7 | +[rule] |
| 8 | +author = ["Elastic"] |
| 9 | +description = """ |
| 10 | +Identifies the creation of ASPX files in specific directories that are commonly targeted by attackers to deploy web shells. |
| 11 | +""" |
| 12 | +from = "now-9m" |
| 13 | +index = [ |
| 14 | + "winlogbeat-*", |
| 15 | + "logs-endpoint.events.file-*", |
| 16 | + "logs-windows.sysmon_operational-*", |
| 17 | + "endgame-*", |
| 18 | + "logs-sentinel_one_cloud_funnel.*", |
| 19 | + "logs-m365_defender.event-*", |
| 20 | + "logs-crowdstrike.fdr*", |
| 21 | +] |
| 22 | +language = "eql" |
| 23 | +license = "Elastic License v2" |
| 24 | +name = "Potential Web Shell ASPX File Creation" |
| 25 | +references = [ |
| 26 | + "https://blog.viettelcybersecurity.com/toolshell-a-critical-sharepoint-vulnerability-chain-under-active-exploitation/", |
| 27 | + "https://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/", |
| 28 | + "https://www.rapid7.com/blog/post/2024/10/30/investigating-a-sharepoint-compromise-ir-tales-from-the-field/", |
| 29 | +] |
| 30 | +risk_score = 21 |
| 31 | +rule_id = "32144184-7bfa-4541-9c3f-b65f16d24df9" |
| 32 | +severity = "low" |
| 33 | +tags = [ |
| 34 | + "Domain: Endpoint", |
| 35 | + "OS: Windows", |
| 36 | + "Use Case: Threat Detection", |
| 37 | + "Tactic: Persistence", |
| 38 | + "Data Source: Elastic Endgame", |
| 39 | + "Data Source: Elastic Defend", |
| 40 | + "Data Source: Sysmon", |
| 41 | + "Data Source: SentinelOne", |
| 42 | + "Data Source: Microsoft Defender for Endpoint", |
| 43 | + "Data Source: Crowdstrike", |
| 44 | +] |
| 45 | +timestamp_override = "event.ingested" |
| 46 | +type = "eql" |
| 47 | + |
| 48 | +query = ''' |
| 49 | +file where host.os.type == "windows" and event.type != "deletion" and |
| 50 | + file.extension : "aspx" and |
| 51 | + file.path : "?:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*" and |
| 52 | + not process.executable: "?:\\Windows\\System32\\msiexec.exe" |
| 53 | +''' |
| 54 | + |
| 55 | +[[rule.threat]] |
| 56 | +framework = "MITRE ATT&CK" |
| 57 | +[[rule.threat.technique]] |
| 58 | +id = "T1505" |
| 59 | +name = "Server Software Component" |
| 60 | +reference = "https://attack.mitre.org/techniques/T1505/" |
| 61 | +[[rule.threat.technique.subtechnique]] |
| 62 | +id = "T1505.003" |
| 63 | +name = "Web Shell" |
| 64 | +reference = "https://attack.mitre.org/techniques/T1505/003/" |
| 65 | + |
| 66 | + |
| 67 | + |
| 68 | +[rule.threat.tactic] |
| 69 | +id = "TA0003" |
| 70 | +name = "Persistence" |
| 71 | +reference = "https://attack.mitre.org/tactics/TA0003/" |
| 72 | + |
0 commit comments