Sneed-Reactivity/yara-Neo23x0/gen_webshell_csharp.yar

25 lines
1,005 B
Text
Raw Permalink Normal View History

rule WEBSHELL_Csharp_Hash_String_Oct22 {
meta:
description = "C# webshell using specific hash check for the password."
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Nils Kuhnert (modified by Florian Roth)"
hash = "29c187ad46d3059dc25d5f0958e0e8789fb2a51b9daaf90ea27f001b1a9a603c"
date = "2022-10-27"
score = 60
id = "c7d459be-5e61-57b7-b738-051c0cec62d2"
strings:
$gen1 = "void Page_Load" ascii
$gen2 = "FromBase64String" ascii
$gen3 = "CryptoServiceProvider" ascii
$gen4 = "ComputeHash" ascii
$hashing1 = "BitConverter.ToString(" ascii /* Webshell uses ToString from a string: BitConverter.ToString(ptqVQ) */
$hashing2 = ").Replace(\"-\", \"\") == \"" ascii
$filter1 = "BitConverter.ToString((" ascii /* Usually it's something like: return ((BitConverter.ToString((new SHA1CryptoServiceProvider() */
condition:
filesize < 10KB
and all of ($gen*) and all of ($hashing*)
and not 1 of ($filter*)
}