From 37fdd37ff2318de1c56061707415b5944c04c9b8 Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Fri, 18 Sep 2020 16:33:59 -0500
Subject: [PATCH] Added T1505.003 webshell

---
 Persistence.md | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/Persistence.md b/Persistence.md
index d63c4fc..d0ffa1d 100644
--- a/Persistence.md
+++ b/Persistence.md
@@ -240,10 +240,15 @@ Detection of Powershell TransportAgent Cmdlets being used to setup an Exchange T
 SrcProcCmdLine In Contains Anycase ("Install-TransportAgent","Enable-TransportAgent","Get-TransportAgent") OR SrcProcCmdScript In Contains Anycase ("Install-TransportAgent","Enable-TransportAgent","Get-TransportAgent")
 ```
 
-
 ### T1505.003 Web Shell
 Atomics: [T1505.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md)
 
+I wanted to get complicated and find any process pulling content from the internet before copying to inetpub but couldn't get that working, so we went generic with our detection and filtered out possibly trusted sources of noise.
+
+```
+EventType = "File Creation" AND FileFullName ContainsCIS "inetpub\wwwroot" AND TgtFileExtension In Contains Anycase ("jsp","aspx","php") AND SrcProcName Not In ("explorer.exe","msdeploy.exe")
+```
+
 
 ### T1546.003 Windows Management Instrumentation Event Subscription
 Atomics: [T1546.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md)