CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
ea685fb75aec59f96f34f61a39c123fb4c8babfb
hayabusa/rules/sigma/malware/av_webshell.yml
itiB 83d891b2fa Feature/rm submodule (#312) 
* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00

81 lines
2.3 KiB
YAML
Raw Blame History

title: Antivirus Web Shell Detection
ruletype: Sigma
author: Florian Roth, Arnim Rupp
date: 2018/09/09
description: Detects a highly relevant Antivirus alert that reports a web shell. It's
highly recommended to tune this rule to the specific strings used by your anti virus
solution by downloading a big webshell repo from e.g. github and checking the matches.
detection:
SELECTION_1:
Signature:
- PHP/*
- JSP/*
- ASP/*
- Perl/*
- PHP.*
- JSP.*
- ASP.*
- Perl.*
- VBS/Uxor*
- IIS/BackDoor*
- JAVA/Backdoor*
- Troj/ASP*
- Troj/PHP*
- Troj/JSP*
SELECTION_2:
Signature:
- '*Webshell*'
- '*Chopper*'
- '*SinoChoper*'
- '*ASPXSpy*'
- '*Aspdoor*'
- '*filebrowser*'
- '*PHP_*'
- '*JSP_*'
- '*ASP_*'
- '*PHP:*'
- '*JSP:*'
- '*ASP:*'
- '*Perl:*'
- '*PHPShell*'
- '*Trojan.PHP*'
- '*Trojan.ASP*'
- '*Trojan.JSP*'
- '*Trojan.VBS*'
- '*PHP?Agent*'
- '*ASP?Agent*'
- '*JSP?Agent*'
- '*VBS?Agent*'
- '*Backdoor?PHP*'
- '*Backdoor?JSP*'
- '*Backdoor?ASP*'
- '*Backdoor?VBS*'
- '*Backdoor?Java*'
condition: (SELECTION_1 or SELECTION_2)
falsepositives:
- Unlikely
fields:
- FileName
- User
id: fdf135a2-9241-4f96-a114-bb404948f736
level: critical
logsource:
product: antivirus
modified: 2021/05/08
references:
- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
- https://github.com/tennc/webshell
- https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
- https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
- https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
- https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
- https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
- https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
- https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
status: experimental
tags:
- attack.persistence
- attack.t1100
- attack.t1505.003
Reference in New Issue View Git Blame Copy Permalink