Potential Webshell Process Execution

/*
 * Copyright 2025 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

rule ttp_windows_webserver_process_potential_webshell_execution {
  meta:
    author = "Google Cloud Security"
    rule_name = "Potential Webshell Process Execution"
    description = "Detects on the execution arguments associated with cmd.exe invocations originating from an active ASP.NET webshell."
    severity = "Medium"
    tactic = "TA0003"
    technique = "T1505.003"
    rule_id = "mr_37c87ffe-d6ab-4fc6-a191-ad0da8f9ec98"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(^|\\)(w3wp.exe|httpd.exe|tomcat.exe|tomcat\d+\.exe)$/ nocase
    $e.target.process.command_line = /^"[A-Za-z]:\\.{16}\\cmd\.exe" \/c [^"][^:]/ nocase
    $e.target.process.command_line = /^"c:\\windows\\system32\\cmd\.exe" \/c/ nocase
    //Tuning
    not $e.target.process.command_line = /^"C:\\Windows\\system32\\cmd.exe" \/c ping / nocase
    not $e.target.process.command_line = /^"C:\\Windows\\System32\\cmd.exe" \/c ftp.exe / nocase
    not $e.target.process.command_line = /^"C:\\Windows\\system32\\cmd.exe" \/c az account get-access-token/ nocase
    not $e.target.process.command_line = /^"C:\\Windows\\System32\\cmd.exe" \/c GoalBus.exe  \/DBT:sql / nocase
    not $e.target.process.command_line = /"C:\\Windows\\System32\\cmd.exe" \/c Rscript "D:\\\\Opti\\\\R\\\\\\R/ nocase
    not $e.target.process.command_line = /^"C:\\Windows\\system32\\cmd\.exe" \/c timeout \d+ \/nobreak$/ nocase
    not $e.target.process.command_line = /^"C:\\Windows\\System32\\cmd\.exe" \/c copy.*\\Department\\HR\\HR-Wellness\\APPS$/ nocase
    not $e.target.process.command_line = /^"C:\\Windows\\System32\\cmd.exe" \/C\s+del\s.*\\System5\\Web\\NDA\\TempUploadFiles\\/ nocase
    not $e.target.process.command_line = /^"C:\\Windows\\System32\\cmd\.exe".*--footer-html "[A-Z]:\\PublishedApp\\SystemProductRelease\\.*\\ProductReleasePDF\\/ nocase
    not $e.target.process.command_line = /^"C:\\Windows\\System32\\cmd.exe"\s+\/c\s+(rmdir|rename)\s.*"D:\\Domains\\Internal\\Deploy\\(Tools|Released)\\/ nocase
    not $e.target.process.command_line = /^"C:\\windows\\system32\\cmd.exe"\s+\/C type\s+.*\\CHARGEBACK\\(BILLING|RETAIL)\\[^\\]+\\TEMP\\header.txt/ nocase
    not $e.principal.process.command_line = /w3wp.exe\s*-ap\s*"EUSI"\s.*\\apppools\\EUSI\\EUSI\.config"/ nocase

  outcome:
    $principal_hostname = $e.principal.hostname
    $risk_score = 65
    $vendor_name = array($e.metadata.vendor_name)
    $product_name = $e.metadata.product_name
    $victim_uid = $e.principal.asset.asset_id
    $victim_name = $e.principal.asset.hostname
    $victim_netid = array($e.principal.ip)
    $adversary_uid = $e.principal.user.userid
    $adversary_name = $e.principal.user.user_display_name
    $adversary_netid = $e.principal.user.windows_sid
    $tmp1 = max(
        if($e.security_result.action != "BLOCK" and $e.security_result.action != "UNKNOWN_ACTION", 2)
    )
    $tmp2 = max(
        if($e.security_result.action = "BLOCK", 1)
    )
    $result = arrays.index_to_str(strings.split("attempted,failed,succeeded,succeeded"), $tmp1 + $tmp2)
    $result_time = $e.metadata.event_timestamp.seconds
    $event_count = 1

  condition:
    $e
}