SigmaHQ/rules/windows/malware/av_webshell.yml
2021-08-22 13:57:56 +02:00

75 lines
2.8 KiB
YAML

title: Antivirus Web Shell Detection
id: fdf135a2-9241-4f96-a114-bb404948f736
description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.
date: 2018/09/09
modified: 2021/05/08
author: Florian Roth, Arnim Rupp
references:
- https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
- https://github.com/tennc/webshell
- https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
- https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
- https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
- https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
- https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
- https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
- https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
tags:
- attack.persistence
- attack.t1100 # an old one
- attack.t1505.003
logsource:
product: antivirus
detection:
selection:
- Signature|startswith:
- "PHP/"
- "JSP/"
- "ASP/"
- "Perl/"
- "PHP."
- "JSP."
- "ASP."
- "Perl."
- "VBS/Uxor" # looking for "VBS/" would also find downloaders and droppers meant for desktops
- "IIS/BackDoor"
- "JAVA/Backdoor"
- "Troj/ASP"
- "Troj/PHP"
- "Troj/JSP"
- Signature|contains:
- "Webshell"
- "Chopper"
- "SinoChoper"
- "ASPXSpy"
- "Aspdoor"
- "filebrowser"
- "PHP_"
- "JSP_"
- "ASP_" # looking for "VBS_" would also find downloaders and droppers meant for desktops
- "PHP:"
- "JSP:"
- "ASP:"
- "Perl:"
- "PHPShell"
- "Trojan.PHP"
- "Trojan.ASP"
- "Trojan.JSP"
- "Trojan.VBS"
- "PHP?Agent"
- "ASP?Agent"
- "JSP?Agent"
- "VBS?Agent"
- "Backdoor?PHP"
- "Backdoor?JSP"
- "Backdoor?ASP"
- "Backdoor?VBS"
- "Backdoor?Java"
condition: selection
fields:
- FileName
- User
falsepositives:
- Unlikely
level: critical