forked from nsacyber/Mitigating-Web-Shells
/
core.webshell_detection.yara
170 lines (135 loc) · 3.97 KB
/
core.webshell_detection.yara
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
/*
WARNING: Host-based security systems may DETECT this file as malicious!
Because the text used in these signatures is also used in some malware definitions, this file may be detected as malicious. If this happens, it is recommended that the limited.yara.bin file be used instead. Because limited.yara.bin is a compiled yara ruleset, it is unlikely to trigger host-based security systems
*/
private rule b374k
{
meta:
author = "Blair Gillam (@blairgillam)”
strings:
$string = "b374k"
$password_var = "$s_pass"
$default_password = "0de664ecd2be02cdd54234a0d1229b43"
condition:
any of them
}
private rule pas_tool
{
meta:
author = "US CERT"
strings:
$php = "<?php"
$base64decode = /\='base'\.\(\d+\*\d+\)\.'_de'\.'code'/
$strreplace = "(str_replace("
$md5 = ".substr(md5(strrev("
$gzinflate = "gzinflate"
$cookie = "_COOKIE"
$isset = "isset"
condition:
(filesize > 20KB and filesize < 22KB) and
#cookie == 2 and
#isset == 3 and
all of them
}
private rule pbot
{
meta:
author = "Jacob Baines (Tenable)"
strings:
$ = "class pBot" ascii
$ = "function start(" ascii
$ = "PING" ascii
$ = "PONG" ascii
condition:
all of them
}
private rule generic_jsp
{
meta:
source = "https://www.tenable.com/blog/hunting-for-web-shells"
strings:
$ = /Runtime.getRuntime\(\).exec\(request.getParameter\(\"[a-zA-Z0-9]+\"\)\);/ ascii
condition:
all of them
}
private rule eval
{
meta:
source = "https://www.tenable.com/blog/hunting-for-web-shells"
strings:
$ = /eval[\( \t]+((base64_decode[\( \t]+)|(str_rot13[\( \t]+)|(gzinflate[\( \t]+)|(gzuncompress[\( \t]+)|(strrev[\( \t]+)|(gzdecode[\( \t]+))+/
condition:
all of them
}
private rule fopo
{
meta:
source = ”https://github.com/tenable/yara-rules/blob/master/webshells/"
strings:
$ = /\$[a-zA-Z0-9]+=\"\\(142|x62)\\(141|x61)\\(163|x73)\\(145|x65)\\(66|x36)\\(64|x34)\\(137|x5f)\\(144|x64)\\(145|x65)\\(143|x63)\\(157|x6f)\\(144|x64)\\(145|x65)\";@eval\(/
condition:
all of them
}
private rule hardcoded_urldecode
{
meta:
source = ”https://github.com/tenable/yara-rules/blob/master/webshells/"
strings:
$ = /urldecode[\t ]*\([\t ]*'(%[0-9a-fA-F][0-9a-fA-F])+'[\t ]*\)/
condition:
all of them
}
private rule chr_obfuscation
{
meta:
source = ”https://github.com/tenable/yara-rules/blob/master/webshells/"
strings:
$ = /\$[^=]+=[\t ]*(chr\([0-9]+\)\.?){2,}/
condition:
all of them
}
private rule phpInImage
{
meta:
source = "Vlad https://github.com/vlad-s"
strings:
$php_tag = "<?php"
$gif = {47 49 46 38 ?? 61} // GIF8[version]a
$jfif = { ff d8 ff e? 00 10 4a 46 49 46 }
$png = { 89 50 4e 47 0d 0a 1a 0a }
$jpeg = {FF D8 FF E0 ?? ?? 4A 46 49 46 }
condition:
(($gif at 0) or ($jfif at 0) or ($png at 0) or ($jpeg at 0)) and $php_tag
}
rule hiddenFunctionality
{
meta:
author = "NSA Cybersecurity"
description = "Hidden functionality allows malware to masquerade as another filetype"
condition:
phpInImage
}
rule webshellArtifact
{
meta:
author = "NSA Cybersecurity"
description = "Artifacts common to web shells and rare in benign files"
condition:
b374k or pas_tool or pbot or generic_jsp
}
rule suspiciousFunctionality
{
meta:
author = "NSA Cybersecurity"
description = "Artifacts common to web shells and somewhat rare in benign files"
condition:
passwordProtection or hiddenInAFile or hardcoded_urldecode or fopo or eval
}
rule obfuscatedFunctionality
{
meta:
author = "NSA Cybersecurity"
description = "Obfuscation sometimes hides malicious functionality"
condition:
chr_obfuscation
}