CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f71d5848fee4ffb52c83f10fbf204b3aa5e2bb1b
hayabusa/rules/Sigma/av_webshell.yml
Tanaka Zakku 50aebce32e Added Sigma Rules
2021-11-14 11:00:56 +09:00

127 lines
4.2 KiB
YAML
Raw Blame History

title: Antivirus Web Shell Detection
author: Florian Roth, Arnim Rupp
date: 2018/09/09
description: Detects a highly relevant Antivirus alert that reports a web shell. It's
highly recommended to tune this rule to the specific strings used by your anti
virus solution by downloading a big webshell repo from e.g. github and checking
the matches.
detection:
SELECTION_1:
Signature: PHP/*
SELECTION_10:
Signature: IIS/BackDoor*
SELECTION_11:
Signature: JAVA/Backdoor*
SELECTION_12:
Signature: Troj/ASP*
SELECTION_13:
Signature: Troj/PHP*
SELECTION_14:
Signature: Troj/JSP*
SELECTION_15:
Signature: '*Webshell*'
SELECTION_16:
Signature: '*Chopper*'
SELECTION_17:
Signature: '*SinoChoper*'
SELECTION_18:
Signature: '*ASPXSpy*'
SELECTION_19:
Signature: '*Aspdoor*'
SELECTION_2:
Signature: JSP/*
SELECTION_20:
Signature: '*filebrowser*'
SELECTION_21:
Signature: '*PHP_*'
SELECTION_22:
Signature: '*JSP_*'
SELECTION_23:
Signature: '*ASP_*'
SELECTION_24:
Signature: '*PHP:*'
SELECTION_25:
Signature: '*JSP:*'
SELECTION_26:
Signature: '*ASP:*'
SELECTION_27:
Signature: '*Perl:*'
SELECTION_28:
Signature: '*PHPShell*'
SELECTION_29:
Signature: '*Trojan.PHP*'
SELECTION_3:
Signature: ASP/*
SELECTION_30:
Signature: '*Trojan.ASP*'
SELECTION_31:
Signature: '*Trojan.JSP*'
SELECTION_32:
Signature: '*Trojan.VBS*'
SELECTION_33:
Signature: '*PHP?Agent*'
SELECTION_34:
Signature: '*ASP?Agent*'
SELECTION_35:
Signature: '*JSP?Agent*'
SELECTION_36:
Signature: '*VBS?Agent*'
SELECTION_37:
Signature: '*Backdoor?PHP*'
SELECTION_38:
Signature: '*Backdoor?JSP*'
SELECTION_39:
Signature: '*Backdoor?ASP*'
SELECTION_4:
Signature: Perl/*
SELECTION_40:
Signature: '*Backdoor?VBS*'
SELECTION_41:
Signature: '*Backdoor?Java*'
SELECTION_5:
Signature: PHP.*
SELECTION_6:
Signature: JSP.*
SELECTION_7:
Signature: ASP.*
SELECTION_8:
Signature: Perl.*
SELECTION_9:
Signature: VBS/Uxor*
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14) or (SELECTION_15
or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
or SELECTION_41))
falsepositives:
- Unlikely
fields:
- FileName
- User
id: fdf135a2-9241-4f96-a114-bb404948f736
level: critical
logsource:
product: antivirus
modified: 2021/05/08
references:
- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
- https://github.com/tennc/webshell
- https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
- https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
- https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
- https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
- https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
- https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
- https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
tags:
- attack.persistence
- attack.t1100
- attack.t1505.003
yml_filename: av_webshell.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware
Reference in New Issue View Git Blame Copy Permalink