Sneed-Reactivity/yara-mikesxrs/Volexity/general_php_call_user_func.yar

rule general_php_call_user_func : General Webshells
{
    meta:
        author = "threatintel@volexity.com"
        description = "Webshells using call_user_func against an object from a file input or POST variable."
        date = "2021-06-16"
        hash1 = "40b053a2f3c8f47d252b960a9807b030b463ef793228b1670eda89f07b55b252"
        reference = "https://zhuanlan.zhihu.com/p/354906657"
        reference2 = "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/"
        license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
        memory_suitable = 0

    strings:
        $s1 = "@call_user_func(new C()" wide ascii

    condition:
        $s1
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 17:43:35 +00:00			`rule general_php_call_user_func : General Webshells`
			`{`
			`meta:`
			`author = "threatintel@volexity.com"`
			`description = "Webshells using call_user_func against an object from a file input or POST variable."`
			`date = "2021-06-16"`
			`hash1 = "40b053a2f3c8f47d252b960a9807b030b463ef793228b1670eda89f07b55b252"`
			`reference = "https://zhuanlan.zhihu.com/p/354906657"`
			`reference2 = "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/"`
			`license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"`
			`memory_suitable = 0`

			`strings:`
			`$s1 = "@call_user_func(new C()" wide ascii`

			`condition:`
			`$s1`
			`}`