Updated Grizzly Steppe

- include more PHP Web kit Versions
2024-11-06 18:15:20 +00:00 · 2017-01-02 08:10:21 +01:00 · 2017-01-02 08:10:21 +01:00 · eec5a37407
commit eec5a37407
parent 4112bc4ebf
1 changed files with 37 additions and 0 deletions
--- a/yara/apt_apt29_grizzly_steppe.yar
+++ b/yara/apt_apt29_grizzly_steppe.yar
@ -66,3 +66,40 @@ rule PAS_TOOL_PHP_WEB_KIT_mod {
      #isset == 3 and
      all of them
 }
+
+rule WebShell_PHP_Web_Kit_v3 {
+   meta:
+      description = "Detects PAS Tool PHP Web Kit"
+      reference = "https://github.com/wordfence/grizzly"
+      author = "Florian Roth"
+      date = "2016/01/01"
+   strings:
+      $php = "<?php $"
+      $php2 = "@assert(base64_decode($_REQUEST["
+
+      $s1 = "(str_replace(\"\\n\", '', '"
+      $s2 = "(strrev($" ascii
+      $s3 = "de'.'code';" ascii
+   condition:
+      ( $php at 0 or $php2 ) and
+      filesize > 8KB and filesize < 100KB and
+      all of ($s*)
+}
+
+rule WebShell_PHP_Web_Kit_v4 {
+   meta:
+      description = "Detects PAS Tool PHP Web Kit"
+      reference = "https://github.com/wordfence/grizzly"
+      author = "Florian Roth"
+      date = "2016/01/01"
+   strings:
+      $php = "<?php $"
+
+      $s1 = "(StR_ReplAcE(\"\\n\",'',"
+      $s2 = ";if(PHP_VERSION<'5'){" ascii
+      $s3 = "=SuBstr_rePlACe(" ascii
+   condition:
+      $php at 0 and
+      filesize > 8KB and filesize < 100KB and
+      2 of ($s*)
+}