Sneed-Reactivity/yara-Neo23x0/expl_proxyshell.yar


rule EXPL_Exchange_ProxyShell_Failed_Aug21_1 : SCRIPT {
   meta:
      description = "Detects ProxyShell exploitation attempts in log files"
      author = "Florian Roth (Nextron Systems)"
      score = 50
      reference = "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html"
      date = "2021-08-08"
      modified = "2021-08-09"
      id = "9b849042-8918-5322-a35a-2165d4b541d5"
   strings:
      $xr1 = / \/autodiscover\/autodiscover\.json[^\n]{1,300}\/(powershell|mapi\/nspi|EWS\/|X-Rps-CAT)[^\n]{1,400}401 0 0/ nocase ascii
      $xr3 = /Email=autodiscover\/autodiscover\.json[^\n]{1,400}401 0 0/ nocase ascii
   condition:
      1 of them
}

rule EXPL_Exchange_ProxyShell_Successful_Aug21_1 : SCRIPT {
   meta:
      description = "Detects successful ProxyShell exploitation attempts in log files"
      author = "Florian Roth (Nextron Systems)"
      score = 85
      reference = "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html"
      date = "2021-08-08"
      modified = "2021-08-09"
      id = "8c11cd1a-6d3f-5f29-af61-17179b01ca8b"
   strings:
      $xr1a = / \/autodiscover\/autodiscover\.json[^\n]{1,300}\/(powershell|X-Rps-CAT)/ nocase ascii
      $xr1b = / \/autodiscover\/autodiscover\.json[^\n]{1,300}\/(mapi\/nspi|EWS\/)[^\n]{1,400}(200|302) 0 0/ 
      $xr2 = /autodiscover\/autodiscover\.json[^\n]{1,60}&X-Rps-CAT=/ nocase ascii
      $xr3 = /Email=autodiscover\/autodiscover\.json[^\n]{1,400}200 0 0/ nocase ascii
   condition:
      1 of them
}

rule WEBSHELL_ASPX_ProxyShell_Aug21_2 {
   meta:
      description = "Detects webshells dropped by ProxyShell exploitation based on their file header (must be PST), size and content"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-are-getting-hacked-via-proxyshell-exploits/"
      date = "2021-08-13"
      id = "a351a466-695e-570e-8c7f-9c6c0534839c"
   strings:
      $s1 = "Page Language=" ascii nocase
   condition:
      uint32(0) == 0x4e444221 /* PST header: !BDN */
      and filesize < 2MB
      and $s1
}

rule WEBSHELL_ASPX_ProxyShell_Aug21_3 {
   meta:
      description = "Detects webshells dropped by ProxyShell exploitation based on their file header (must be DER), size and content"
      author = "Max Altgelt"
      reference = "https://twitter.com/gossithedog/status/1429175908905127938?s=12"
      date = "2021-08-23"
      score = 75
      id = "a7bca62b-c8f1-5a38-81df-f3d4582a590b"
   strings:
      $s1 = "Page Language=" ascii nocase
   condition:
      uint16(0) == 0x8230 /* DER start */
      and filesize < 10KB
      and $s1
}

rule WEBSHELL_ASPX_ProxyShell_Sep21_1 { 
   meta:
      description = "Detects webshells dropped by ProxyShell exploitation based on their file header (must be PST) and base64 decoded request"
      author = "Tobias Michalski"
      date = "2021-09-17"
      reference = "Internal Research"
      hash = "219468c10d2b9d61a8ae70dc8b6d2824ca8fbe4e53bbd925eeca270fef0fd640"
      score = 75
      id = "d0d23e17-6b6a-51d1-afd9-59cc2404bcd8"
   strings:
      $s = ".FromBase64String(Request["
   condition:
      uint32(0) == 0x4e444221
      and any of them
}

rule APT_IIS_Config_ProxyShell_Artifacts {
   meta:
      description = "Detects virtual directory configured in IIS pointing to a ProgramData folder (as found in attacks against Exchange servers in August 2021)"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit"
      date = "2021-08-25"
      score = 90
      id = "21888fc0-82c6-555a-9320-9cbb8332a843"
   strings:
      $a1 = "<site name=" ascii /* marker used to select IIS configs */
      $a2 = "<sectionGroup name=\"system.webServer\">" ascii

      $sa1 = " physicalPath=\"C:\\ProgramData\\COM" ascii
      $sa2 = " physicalPath=\"C:\\ProgramData\\WHO" ascii
      $sa3 = " physicalPath=\"C:\\ProgramData\\ZING" ascii
      $sa4 = " physicalPath=\"C:\\ProgramData\\ZOO" ascii
      $sa5 = " physicalPath=\"C:\\ProgramData\\XYZ" ascii
      $sa6 = " physicalPath=\"C:\\ProgramData\\AUX" ascii
      $sa7 = " physicalPath=\"C:\\ProgramData\\CON\\" ascii

      $sb1 = " physicalPath=\"C:\\Users\\All Users\\" ascii
   condition:
      filesize < 500KB and all of ($a*) and 1 of ($s*)
}

rule WEBSHELL_ASPX_ProxyShell_Exploitation_Aug21_1 {
   meta:
      description = "Detects unknown malicious loaders noticed in August 2021"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://twitter.com/VirITeXplorer/status/1430206853733097473"
      date = "2021-08-25"
      score = 90
      id = "1fa563fc-c91c-5f4e-98f1-b895e1acb4f4"
   strings:
      $x1 = ");eval/*asf" ascii
   condition:
      filesize < 600KB and 1 of them
}

rule WEBSHELL_ASPX_ProxyShell_Aug15 {
   meta:
      description = "Webshells iisstart.aspx and Logout.aspx"
      author = "Moritz Oettle"
      reference = "https://github.com/hvs-consulting/ioc_signatures/tree/main/Proxyshell"
      date = "2021-09-04"
      score = 75
      id = "b1e6c0f3-787f-59b8-8123-4045522047ca"
   strings:
      $g1 = "language=\"JScript\"" ascii
      $g2 = "function getErrorWord" ascii
      $g3 = "errorWord" ascii
      $g4 = "Response.Redirect" ascii
      $g5 = "function Page_Load" ascii
      $g6 = "runat=\"server\"" ascii
      $g7 = "Request[" ascii
      $g8 = "eval/*" ascii

      $s1 = "AppcacheVer" ascii /* HTTP Request Parameter */
      $s2 = "clientCode" ascii /* HTTP Request Parameter */
      $s3 = "LaTkWfI64XeDAXZS6pU1KrsvLAcGH7AZOQXjrFkT816RnFYJQR" ascii
   condition:
      filesize < 1KB and
      ( 1 of ($s*) or 4 of ($g*) )
}

rule WEBSHELL_Mailbox_Export_PST_ProxyShell_Aug26 {
   meta:
      description = "Webshells generated by an Mailbox export to PST and stored as aspx: 570221043.aspx 689193944.aspx luifdecggoqmansn.aspx"
      author = "Moritz Oettle"
      reference = "https://github.com/hvs-consulting/ioc_signatures/tree/main/Proxyshell"
      date = "2021-09-04"
      score = 85
      id = "6aea414f-d27c-5202-84f8-b8620782fc90"
   strings:
      $x1 = "!BDN" /* PST file header */

      $g1 = "Page language=" ascii
      $g2 = "<%@ Page" ascii
      $g3 = "Request.Item[" ascii
      $g4 = "\"unsafe\");" ascii
      $g5 = "<%eval(" ascii
      $g6 = "script language=" ascii
      $g7 = "Request[" ascii

      $s1 = "gold8899" ascii /* HTTP Request Parameter */
      $s2 = "exec_code" ascii /* HTTP Request Parameter */
      $s3 = "orangenb" ascii /* HTTP Request Parameter */
   condition:
      filesize < 500KB and
      $x1 at 0 and
      ( 1 of ($s*) or 3 of ($g*) )
}


/* 
   Hunting Rules 
*/

rule SUSP_IIS_Config_ProxyShell_Artifacts {
   meta:
      description = "Detects suspicious virtual directory configured in IIS pointing to a ProgramData folder (as found in attacks against Exchange servers in August 2021)"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit"
      date = "2021-08-25"
      score = 70
      id = "bde65d9e-b17d-5746-8d29-8419363d0511"
   strings:
      $a1 = "<site name=" ascii /* marker used to select IIS configs */
      $a2 = "<sectionGroup name=\"system.webServer\">" ascii

      $s1 = " physicalPath=\"C:\\ProgramData\\" ascii
   condition:
      filesize < 500KB and all of ($a*) and 1 of ($s*)
}

rule SUSP_IIS_Config_VirtualDir {
   meta:
      description = "Detects suspicious virtual directory configured in IIS pointing to a User folder"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit"
      date = "2021-08-25"
      modified = "2022-09-17"
      score = 60
      id = "cfe5ca5e-a0cc-5f60-84d2-1b0538e999c7"
   strings:
      $a1 = "<site name=" ascii /* marker used to select IIS configs */
      $a2 = "<sectionGroup name=\"system.webServer\">" ascii

      $s2 = " physicalPath=\"C:\\Users\\" ascii

      $fp1 = "Microsoft.Web.Administration" wide
      $fp2 = "<virtualDirectory path=\"/\" physicalPath=\"C:\\Users\\admin\\"
   condition:
      filesize < 500KB and all of ($a*) and 1 of ($s*)
      and not 1 of ($fp*)
}

rule SUSP_ASPX_PossibleDropperArtifact_Aug21 {
   meta:
      description = "Detects an ASPX file with a non-ASCII header, often a result of MS Exchange drop techniques"
      reference = "Internal Research"
      author = "Max Altgelt"
      date = "2021-08-23"
      score = 60
      id = "52016598-74a1-53d6-812a-40b078ba0bb9"
   strings:
      $s1 = "Page Language=" ascii nocase

      $fp1 = "Page Language=\"java\"" ascii nocase
   condition:
      filesize < 500KB
      and not uint16(0) == 0x4B50 and not uint16(0) == 0x6152 and not uint16(0) == 0x8b1f // Exclude ZIP / RAR / GZIP files (can cause FPs when uncompressed)
      and not uint16(0) == 0x5A4D // PE
      and not uint16(0) == 0xCFD0 // OLE
      and not uint16(0) == 0xC3D4 // PCAP
      and not uint16(0) == 0x534D // CAB
      and all of ($s*) and not 1 of ($fp*) and
      (
         ((uint8(0) < 0x20 or uint8(0) > 0x7E /*non-ASCII*/ ) and uint8(0) != 0x9 /* tab */ and uint8(0) != 0x0D /* carriage return */ and uint8(0) != 0x0A /* new line */ and uint8(0) != 0xEF /* BOM UTF-8 */)
         or ((uint8(1) < 0x20 or uint8(1) > 0x7E /*non-ASCII*/ ) and uint8(1) != 0x9 /* tab */ and uint8(1) != 0x0D /* carriage return */ and uint8(1) != 0x0A /* new line */ and uint8(1) != 0xBB /* BOM UTF-8 */)
         or ((uint8(2) < 0x20 or uint8(2) > 0x7E /*non-ASCII*/ ) and uint8(2) != 0x9 /* tab */ and uint8(2) != 0x0D /* carriage return */ and uint8(2) != 0x0A /* new line */ and uint8(2) != 0xBF /* BOM UTF-8 */)
         or ((uint8(3) < 0x20 or uint8(3) > 0x7E /*non-ASCII*/ ) and uint8(3) != 0x9 /* tab */ and uint8(3) != 0x0D /* carriage return */ and uint8(3) != 0x0A /* new line */)
         or ((uint8(4) < 0x20 or uint8(4) > 0x7E /*non-ASCII*/ ) and uint8(4) != 0x9 /* tab */ and uint8(4) != 0x0D /* carriage return */ and uint8(4) != 0x0A /* new line */)
         or ((uint8(5) < 0x20 or uint8(5) > 0x7E /*non-ASCII*/ ) and uint8(5) != 0x9 /* tab */ and uint8(5) != 0x0D /* carriage return */ and uint8(5) != 0x0A /* new line */)
         or ((uint8(6) < 0x20 or uint8(6) > 0x7E /*non-ASCII*/ ) and uint8(6) != 0x9 /* tab */ and uint8(6) != 0x0D /* carriage return */ and uint8(6) != 0x0A /* new line */)
         or ((uint8(7) < 0x20 or uint8(7) > 0x7E /*non-ASCII*/ ) and uint8(7) != 0x9 /* tab */ and uint8(7) != 0x0D /* carriage return */ and uint8(7) != 0x0A /* new line */)
      )
}

rule WEBSHELL_ProxyShell_Exploitation_Nov21_1 {
   meta:
      description = "Detects webshells dropped by DropHell malware"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.deepinstinct.com/blog/do-not-exchange-it-has-a-shell-inside"
      date = "2021-11-01"
      score = 85
      id = "300eaadf-db0c-5591-84fc-abdf7cdd90c1"
   strings:
      $s01 = ".LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(Request[" ascii wide
      $s02 = "new System.IO.MemoryStream()" ascii wide
      $s03 = "Transform(" ascii wide
   condition:
      all of ($s*)
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`rule EXPL_Exchange_ProxyShell_Failed_Aug21_1 : SCRIPT {`
			`meta:`
			`description = "Detects ProxyShell exploitation attempts in log files"`
			`author = "Florian Roth (Nextron Systems)"`
			`score = 50`
			`reference = "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html"`
			`date = "2021-08-08"`
			`modified = "2021-08-09"`
			`id = "9b849042-8918-5322-a35a-2165d4b541d5"`
			`strings:`
			`$xr1 = / \/autodiscover\/autodiscover\.json[^\n]{1,300}\/(powershell\|mapi\/nspi\|EWS\/\|X-Rps-CAT)[^\n]{1,400}401 0 0/ nocase ascii`
			`$xr3 = /Email=autodiscover\/autodiscover\.json[^\n]{1,400}401 0 0/ nocase ascii`
			`condition:`
			`1 of them`
			`}`

			`rule EXPL_Exchange_ProxyShell_Successful_Aug21_1 : SCRIPT {`
			`meta:`
			`description = "Detects successful ProxyShell exploitation attempts in log files"`
			`author = "Florian Roth (Nextron Systems)"`
			`score = 85`
			`reference = "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html"`
			`date = "2021-08-08"`
			`modified = "2021-08-09"`
			`id = "8c11cd1a-6d3f-5f29-af61-17179b01ca8b"`
			`strings:`
			`$xr1a = / \/autodiscover\/autodiscover\.json[^\n]{1,300}\/(powershell\|X-Rps-CAT)/ nocase ascii`
			`$xr1b = / \/autodiscover\/autodiscover\.json[^\n]{1,300}\/(mapi\/nspi\|EWS\/)[^\n]{1,400}(200\|302) 0 0/`
			`$xr2 = /autodiscover\/autodiscover\.json[^\n]{1,60}&X-Rps-CAT=/ nocase ascii`
			`$xr3 = /Email=autodiscover\/autodiscover\.json[^\n]{1,400}200 0 0/ nocase ascii`
			`condition:`
			`1 of them`
			`}`

			`rule WEBSHELL_ASPX_ProxyShell_Aug21_2 {`
			`meta:`
			`description = "Detects webshells dropped by ProxyShell exploitation based on their file header (must be PST), size and content"`
			`author = "Florian Roth (Nextron Systems)"`
			`reference = "https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-are-getting-hacked-via-proxyshell-exploits/"`
			`date = "2021-08-13"`
			`id = "a351a466-695e-570e-8c7f-9c6c0534839c"`
			`strings:`
			`$s1 = "Page Language=" ascii nocase`
			`condition:`
			`uint32(0) == 0x4e444221 /* PST header: !BDN */`
			`and filesize < 2MB`
			`and $s1`
			`}`

			`rule WEBSHELL_ASPX_ProxyShell_Aug21_3 {`
			`meta:`
			`description = "Detects webshells dropped by ProxyShell exploitation based on their file header (must be DER), size and content"`
			`author = "Max Altgelt"`
			`reference = "https://twitter.com/gossithedog/status/1429175908905127938?s=12"`
			`date = "2021-08-23"`
			`score = 75`
			`id = "a7bca62b-c8f1-5a38-81df-f3d4582a590b"`
			`strings:`
			`$s1 = "Page Language=" ascii nocase`
			`condition:`
			`uint16(0) == 0x8230 /* DER start */`
			`and filesize < 10KB`
			`and $s1`
			`}`

			`rule WEBSHELL_ASPX_ProxyShell_Sep21_1 {`
			`meta:`
			`description = "Detects webshells dropped by ProxyShell exploitation based on their file header (must be PST) and base64 decoded request"`
			`author = "Tobias Michalski"`
			`date = "2021-09-17"`
			`reference = "Internal Research"`
			`hash = "219468c10d2b9d61a8ae70dc8b6d2824ca8fbe4e53bbd925eeca270fef0fd640"`
			`score = 75`
			`id = "d0d23e17-6b6a-51d1-afd9-59cc2404bcd8"`
			`strings:`
			`$s = ".FromBase64String(Request["`
			`condition:`
			`uint32(0) == 0x4e444221`
			`and any of them`
			`}`

			`rule APT_IIS_Config_ProxyShell_Artifacts {`
			`meta:`
			`description = "Detects virtual directory configured in IIS pointing to a ProgramData folder (as found in attacks against Exchange servers in August 2021)"`
			`author = "Florian Roth (Nextron Systems)"`
			`reference = "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit"`
			`date = "2021-08-25"`
			`score = 90`
			`id = "21888fc0-82c6-555a-9320-9cbb8332a843"`
			`strings:`
			`$a1 = "<site name=" ascii /* marker used to select IIS configs */`
			`$a2 = "<sectionGroup name=\"system.webServer\">" ascii`

			`$sa1 = " physicalPath=\"C:\\ProgramData\\COM" ascii`
			`$sa2 = " physicalPath=\"C:\\ProgramData\\WHO" ascii`
			`$sa3 = " physicalPath=\"C:\\ProgramData\\ZING" ascii`
			`$sa4 = " physicalPath=\"C:\\ProgramData\\ZOO" ascii`
			`$sa5 = " physicalPath=\"C:\\ProgramData\\XYZ" ascii`
			`$sa6 = " physicalPath=\"C:\\ProgramData\\AUX" ascii`
			`$sa7 = " physicalPath=\"C:\\ProgramData\\CON\\" ascii`

			`$sb1 = " physicalPath=\"C:\\Users\\All Users\\" ascii`
			`condition:`
			`filesize < 500KB and all of ($a) and 1 of ($s)`
			`}`

			`rule WEBSHELL_ASPX_ProxyShell_Exploitation_Aug21_1 {`
			`meta:`
			`description = "Detects unknown malicious loaders noticed in August 2021"`
			`author = "Florian Roth (Nextron Systems)"`
			`reference = "https://twitter.com/VirITeXplorer/status/1430206853733097473"`
			`date = "2021-08-25"`
			`score = 90`
			`id = "1fa563fc-c91c-5f4e-98f1-b895e1acb4f4"`
			`strings:`
			`$x1 = ");eval/*asf" ascii`
			`condition:`
			`filesize < 600KB and 1 of them`
			`}`

			`rule WEBSHELL_ASPX_ProxyShell_Aug15 {`
			`meta:`
			`description = "Webshells iisstart.aspx and Logout.aspx"`
			`author = "Moritz Oettle"`
			`reference = "https://github.com/hvs-consulting/ioc_signatures/tree/main/Proxyshell"`
			`date = "2021-09-04"`
			`score = 75`
			`id = "b1e6c0f3-787f-59b8-8123-4045522047ca"`
			`strings:`
			`$g1 = "language=\"JScript\"" ascii`
			`$g2 = "function getErrorWord" ascii`
			`$g3 = "errorWord" ascii`
			`$g4 = "Response.Redirect" ascii`
			`$g5 = "function Page_Load" ascii`
			`$g6 = "runat=\"server\"" ascii`
			`$g7 = "Request[" ascii`
			`$g8 = "eval/*" ascii`

			`$s1 = "AppcacheVer" ascii /* HTTP Request Parameter */`
			`$s2 = "clientCode" ascii /* HTTP Request Parameter */`
			`$s3 = "LaTkWfI64XeDAXZS6pU1KrsvLAcGH7AZOQXjrFkT816RnFYJQR" ascii`
			`condition:`
			`filesize < 1KB and`
			`( 1 of ($s) or 4 of ($g) )`
			`}`

			`rule WEBSHELL_Mailbox_Export_PST_ProxyShell_Aug26 {`
			`meta:`
			`description = "Webshells generated by an Mailbox export to PST and stored as aspx: 570221043.aspx 689193944.aspx luifdecggoqmansn.aspx"`
			`author = "Moritz Oettle"`
			`reference = "https://github.com/hvs-consulting/ioc_signatures/tree/main/Proxyshell"`
			`date = "2021-09-04"`
			`score = 85`
			`id = "6aea414f-d27c-5202-84f8-b8620782fc90"`
			`strings:`
			`$x1 = "!BDN" /* PST file header */`

			`$g1 = "Page language=" ascii`
			`$g2 = "<%@ Page" ascii`
			`$g3 = "Request.Item[" ascii`
			`$g4 = "\"unsafe\");" ascii`
			`$g5 = "<%eval(" ascii`
			`$g6 = "script language=" ascii`
			`$g7 = "Request[" ascii`

			`$s1 = "gold8899" ascii /* HTTP Request Parameter */`
			`$s2 = "exec_code" ascii /* HTTP Request Parameter */`
			`$s3 = "orangenb" ascii /* HTTP Request Parameter */`
			`condition:`
			`filesize < 500KB and`
			`$x1 at 0 and`
			`( 1 of ($s) or 3 of ($g) )`
			`}`


			`/*`
			`Hunting Rules`
			`*/`

			`rule SUSP_IIS_Config_ProxyShell_Artifacts {`
			`meta:`
			`description = "Detects suspicious virtual directory configured in IIS pointing to a ProgramData folder (as found in attacks against Exchange servers in August 2021)"`
			`author = "Florian Roth (Nextron Systems)"`
			`reference = "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit"`
			`date = "2021-08-25"`
			`score = 70`
			`id = "bde65d9e-b17d-5746-8d29-8419363d0511"`
			`strings:`
			`$a1 = "<site name=" ascii /* marker used to select IIS configs */`
			`$a2 = "<sectionGroup name=\"system.webServer\">" ascii`

			`$s1 = " physicalPath=\"C:\\ProgramData\\" ascii`
			`condition:`
			`filesize < 500KB and all of ($a) and 1 of ($s)`
			`}`

			`rule SUSP_IIS_Config_VirtualDir {`
			`meta:`
			`description = "Detects suspicious virtual directory configured in IIS pointing to a User folder"`
			`author = "Florian Roth (Nextron Systems)"`
			`reference = "https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit"`
			`date = "2021-08-25"`
			`modified = "2022-09-17"`
			`score = 60`
			`id = "cfe5ca5e-a0cc-5f60-84d2-1b0538e999c7"`
			`strings:`
			`$a1 = "<site name=" ascii /* marker used to select IIS configs */`
			`$a2 = "<sectionGroup name=\"system.webServer\">" ascii`

			`$s2 = " physicalPath=\"C:\\Users\\" ascii`

			`$fp1 = "Microsoft.Web.Administration" wide`
			`$fp2 = "<virtualDirectory path=\"/\" physicalPath=\"C:\\Users\\admin\\"`
			`condition:`
			`filesize < 500KB and all of ($a) and 1 of ($s)`
			`and not 1 of ($fp*)`
			`}`

			`rule SUSP_ASPX_PossibleDropperArtifact_Aug21 {`
			`meta:`
			`description = "Detects an ASPX file with a non-ASCII header, often a result of MS Exchange drop techniques"`
			`reference = "Internal Research"`
			`author = "Max Altgelt"`
			`date = "2021-08-23"`
			`score = 60`
			`id = "52016598-74a1-53d6-812a-40b078ba0bb9"`
			`strings:`
			`$s1 = "Page Language=" ascii nocase`

			`$fp1 = "Page Language=\"java\"" ascii nocase`
			`condition:`
			`filesize < 500KB`
			`and not uint16(0) == 0x4B50 and not uint16(0) == 0x6152 and not uint16(0) == 0x8b1f // Exclude ZIP / RAR / GZIP files (can cause FPs when uncompressed)`
			`and not uint16(0) == 0x5A4D // PE`
			`and not uint16(0) == 0xCFD0 // OLE`
			`and not uint16(0) == 0xC3D4 // PCAP`
			`and not uint16(0) == 0x534D // CAB`
			`and all of ($s) and not 1 of ($fp) and`
			`(`
			`((uint8(0) < 0x20 or uint8(0) > 0x7E /non-ASCII/ ) and uint8(0) != 0x9 /* tab / and uint8(0) != 0x0D / carriage return / and uint8(0) != 0x0A / new line / and uint8(0) != 0xEF / BOM UTF-8 */)`
			`or ((uint8(1) < 0x20 or uint8(1) > 0x7E /non-ASCII/ ) and uint8(1) != 0x9 /* tab / and uint8(1) != 0x0D / carriage return / and uint8(1) != 0x0A / new line / and uint8(1) != 0xBB / BOM UTF-8 */)`
			`or ((uint8(2) < 0x20 or uint8(2) > 0x7E /non-ASCII/ ) and uint8(2) != 0x9 /* tab / and uint8(2) != 0x0D / carriage return / and uint8(2) != 0x0A / new line / and uint8(2) != 0xBF / BOM UTF-8 */)`
			`or ((uint8(3) < 0x20 or uint8(3) > 0x7E /non-ASCII/ ) and uint8(3) != 0x9 /* tab / and uint8(3) != 0x0D / carriage return / and uint8(3) != 0x0A / new line */)`
			`or ((uint8(4) < 0x20 or uint8(4) > 0x7E /non-ASCII/ ) and uint8(4) != 0x9 /* tab / and uint8(4) != 0x0D / carriage return / and uint8(4) != 0x0A / new line */)`
			`or ((uint8(5) < 0x20 or uint8(5) > 0x7E /non-ASCII/ ) and uint8(5) != 0x9 /* tab / and uint8(5) != 0x0D / carriage return / and uint8(5) != 0x0A / new line */)`
			`or ((uint8(6) < 0x20 or uint8(6) > 0x7E /non-ASCII/ ) and uint8(6) != 0x9 /* tab / and uint8(6) != 0x0D / carriage return / and uint8(6) != 0x0A / new line */)`
			`or ((uint8(7) < 0x20 or uint8(7) > 0x7E /non-ASCII/ ) and uint8(7) != 0x9 /* tab / and uint8(7) != 0x0D / carriage return / and uint8(7) != 0x0A / new line */)`
			`)`
			`}`

			`rule WEBSHELL_ProxyShell_Exploitation_Nov21_1 {`
			`meta:`
			`description = "Detects webshells dropped by DropHell malware"`
			`author = "Florian Roth (Nextron Systems)"`
			`reference = "https://www.deepinstinct.com/blog/do-not-exchange-it-has-a-shell-inside"`
			`date = "2021-11-01"`
			`score = 85`
			`id = "300eaadf-db0c-5591-84fc-abdf7cdd90c1"`
			`strings:`
			`$s01 = ".LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(Request[" ascii wide`
			`$s02 = "new System.IO.MemoryStream()" ascii wide`
			`$s03 = "Transform(" ascii wide`
			`condition:`
			`all of ($s*)`
			`}`