Sneed-Reactivity/yara-mikesxrs/Volexity/webshell_aspx_reGeorgTunnel.yar

25 lines
952 B
Text
Raw Normal View History

rule webshell_aspx_reGeorgTunnel : Webshell Commodity
{
meta:
author = "threatintel@volexity.com"
date = "2021-03-01"
description = "variation on reGeorgtunnel"
hash = "406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928"
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
reference = "https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx"
reference2 = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
strings:
$s1 = "System.Net.Sockets"
$s2 = "System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get"
$t1 = ".Split('|')"
$t2 = "Request.Headers.Get"
$t3 = ".Substring("
$t4 = "new Socket("
$t5 = "IPAddress ip;"
condition:
all of ($s*) or
all of ($t*)
}