corelight_http
| where method in~ ('POST', 'PUT')
| where toint(status_code) between (200 .. 299)
| where request_body_len != 0 or response_body_len != 0
| extend fe = extract(@'.*(\.\w+)$', 1, uri)
| where fe in~ ('.jpg', '.jpeg', '.gif', '.png', '.icon', '.ico', '.xml', '.swf', '.svg', '.ppt', '.pttx', '.doc', '.docx', '.rtf', '.pdf', '.tif', '.zip', '.mov')
queryPeriod: 1h
description: |
'Detects post requests to unusual extensions.'
kind: Scheduled
query: |
corelight_http
| where method in~ ('POST', 'PUT')
| where toint(status_code) between (200 .. 299)
| where request_body_len != 0 or response_body_len != 0
| extend fe = extract(@'.*(\.\w+)$', 1, uri)
| where fe in~ ('.jpg', '.jpeg', '.gif', '.png', '.icon', '.ico', '.xml', '.swf', '.svg', '.ppt', '.pttx', '.doc', '.docx', '.rtf', '.pdf', '.tif', '.zip', '.mov')
tactics:
- Persistence
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightPossibleWebshell.yaml
id: f3245aa1-1ca1-471c-a0b7-97ea6b791d5d
version: 2.1.0
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: id_orig_h
triggerThreshold: 0
status: Available
relevantTechniques:
- T1505
name: Corelight - Possible Webshell
severity: Medium
requiredDataConnectors:
- dataTypes:
- Corelight_v2_http
- corelight_http
connectorId: Corelight
queryFrequency: 1h
