Skip to content

Commit 70f1a69

Browse files
patel-bhavinpatel-bhavin
authored
Merge branch 'develop' into nterl0k-t1595-generic-scanner
2 parents f1fca81 + f285ed2 commit 70f1a69

File tree

1 file changed

+14
-12
lines changed

1 file changed

+14
-12
lines changed

detections/endpoint/detect_exchange_web_shell.yml

Lines changed: 14 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: Detect Exchange Web Shell
22
id: 8c14eeee-2af1-4a4b-bda8-228da0f4862a
3-
version: '8'
4-
date: '2024-11-28'
3+
version: 9
4+
date: '2024-12-12'
55
author: Michael Haag, Shannon Davis, David Dorsey, Splunk
66
status: production
77
type: TTP
@@ -16,16 +16,18 @@ description: The following analytic identifies the creation of suspicious .aspx
1616
data_source:
1717
- Sysmon EventID 1 AND Sysmon EventID 11
1818
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
19-
where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name
20-
Processes.dest Processes.user | `drop_dm_object_name(Processes)` | join process_guid,
21-
_time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
22-
as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\HttpProxy\\owa\\auth\\*",
23-
"*\\inetpub\\wwwroot\\aspnet_client\\*", "*\\HttpProxy\\OAB\\*") Filesystem.file_name
24-
IN( "*.aspx", "*.ashx") by _time span=1h Filesystem.user Filesystem.dest Filesystem.file_create_time
25-
Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` |
26-
fields _time dest user file_create_time file_name file_path process_name process_path
27-
process] | dedup file_create_time | table dest user file_create_time, file_name,
28-
file_path, process_name | `detect_exchange_web_shell_filter`'
19+
where Processes.process_name=System by _time span=1h Processes.process_guid Processes.process_name Processes.process
20+
Processes.dest Processes.user
21+
| `drop_dm_object_name(Processes)`
22+
| join process_guid, _time
23+
[| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
24+
as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\HttpProxy\\owa\\auth\\*",
25+
"*\\inetpub\\wwwroot\\aspnet_client\\*", "*\\HttpProxy\\OAB\\*") Filesystem.file_name
26+
IN( "*.aspx", "*.ashx") by _time span=1h Filesystem.process_guid Filesystem.user Filesystem.dest Filesystem.file_create_time
27+
Filesystem.file_name Filesystem.file_path
28+
| `drop_dm_object_name(Filesystem)` ]
29+
| dedup file_create_time
30+
| table _time dest user file_create_time file_name file_path process_name process process_guid | `detect_exchange_web_shell_filter`'
2931
how_to_implement: To successfully implement this search you need to be ingesting information
3032
on process that include the name of the process responsible for the changes from
3133
your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem`

0 commit comments

Comments
 (0)