corelight_http
| where method in~ ('POST', 'PUT')
| where toint(status_code) between (200 .. 299)
| where request_body_len != 0 or response_body_len != 0
| extend fe = extract(@'.*(\.\w+)$', 1, uri)
| where fe in~ ('.jpg', '.jpeg', '.gif', '.png', '.icon', '.ico', '.xml', '.swf', '.svg', '.ppt', '.pttx', '.doc', '.docx', '.rtf', '.pdf', '.tif', '.zip', '.mov')
requiredDataConnectors:
- connectorId: Corelight
dataTypes:
- Corelight_v2_http
- corelight_http
triggerThreshold: 0
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightPossibleWebshell.yaml
name: Corelight - Possible Webshell
id: f3245aa1-1ca1-471c-a0b7-97ea6b791d5d
queryFrequency: 1h
query: |
corelight_http
| where method in~ ('POST', 'PUT')
| where toint(status_code) between (200 .. 299)
| where request_body_len != 0 or response_body_len != 0
| extend fe = extract(@'.*(\.\w+)$', 1, uri)
| where fe in~ ('.jpg', '.jpeg', '.gif', '.png', '.icon', '.ico', '.xml', '.swf', '.svg', '.ppt', '.pttx', '.doc', '.docx', '.rtf', '.pdf', '.tif', '.zip', '.mov')
severity: Medium
version: 2.1.0
tactics:
- Persistence
kind: Scheduled
entityMappings:
- fieldMappings:
- identifier: Address
columnName: id_orig_h
entityType: IP
triggerOperator: gt
description: |
'Detects post requests to unusual extensions.'
relevantTechniques:
- T1505
status: Available
