title: Antivirus Web Shell Detection author: Florian Roth, Arnim Rupp date: 2018/09/09 description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches. detection: SELECTION_1: Signature: PHP/* SELECTION_10: Signature: IIS/BackDoor* SELECTION_11: Signature: JAVA/Backdoor* SELECTION_12: Signature: Troj/ASP* SELECTION_13: Signature: Troj/PHP* SELECTION_14: Signature: Troj/JSP* SELECTION_15: Signature: '*Webshell*' SELECTION_16: Signature: '*Chopper*' SELECTION_17: Signature: '*SinoChoper*' SELECTION_18: Signature: '*ASPXSpy*' SELECTION_19: Signature: '*Aspdoor*' SELECTION_2: Signature: JSP/* SELECTION_20: Signature: '*filebrowser*' SELECTION_21: Signature: '*PHP_*' SELECTION_22: Signature: '*JSP_*' SELECTION_23: Signature: '*ASP_*' SELECTION_24: Signature: '*PHP:*' SELECTION_25: Signature: '*JSP:*' SELECTION_26: Signature: '*ASP:*' SELECTION_27: Signature: '*Perl:*' SELECTION_28: Signature: '*PHPShell*' SELECTION_29: Signature: '*Trojan.PHP*' SELECTION_3: Signature: ASP/* SELECTION_30: Signature: '*Trojan.ASP*' SELECTION_31: Signature: '*Trojan.JSP*' SELECTION_32: Signature: '*Trojan.VBS*' SELECTION_33: Signature: '*PHP?Agent*' SELECTION_34: Signature: '*ASP?Agent*' SELECTION_35: Signature: '*JSP?Agent*' SELECTION_36: Signature: '*VBS?Agent*' SELECTION_37: Signature: '*Backdoor?PHP*' SELECTION_38: Signature: '*Backdoor?JSP*' SELECTION_39: Signature: '*Backdoor?ASP*' SELECTION_4: Signature: Perl/* SELECTION_40: Signature: '*Backdoor?VBS*' SELECTION_41: Signature: '*Backdoor?Java*' SELECTION_5: Signature: PHP.* SELECTION_6: Signature: JSP.* SELECTION_7: Signature: ASP.* SELECTION_8: Signature: Perl.* SELECTION_9: Signature: VBS/Uxor* condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14) or (SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20 or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25 or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30 or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35 or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40 or SELECTION_41)) falsepositives: - Unlikely fields: - FileName - User id: fdf135a2-9241-4f96-a114-bb404948f736 level: critical logsource: product: antivirus modified: 2021/05/08 references: - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ - https://github.com/tennc/webshell - https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection - https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection - https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection - https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection - https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection tags: - attack.persistence - attack.t1100 - attack.t1505.003 yml_filename: av_webshell.yml yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware