30 lines
1.2 KiB
Text
30 lines
1.2 KiB
Text
|
rule webshell_java_realcmd : Commodity Webshells
|
||
|
{
|
||
|
meta:
|
||
|
author = "threatintel@volexity.com"
|
||
|
description = "Detects the RealCMD webshell, one of the payloads for BEHINDER."
|
||
|
date = "2022-06-01"
|
||
|
hash1 = "a9a30455d6f3a0a8cd0274ae954aa41674b6fd52877fafc84a9cb833fd8858f6"
|
||
|
reference = "https://github.com/Freakboy/Behinder/blob/master/src/main/java/vip/youwe/sheller/payload/java/RealCMD.java"
|
||
|
reference2 = "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/"
|
||
|
memory_suitable = 1
|
||
|
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
|
||
|
|
||
|
strings:
|
||
|
$fn1 = "runCmd" wide ascii fullword
|
||
|
$fn2 = "RealCMD" ascii wide fullword
|
||
|
$fn3 = "buildJson" ascii wide fullword
|
||
|
$fn4 = "Encrypt" ascii wide fullword
|
||
|
|
||
|
$s1 = "AES/ECB/PKCS5Padding" ascii wide
|
||
|
$s2 = "python -c 'import pty; pty.spawn" ascii wide
|
||
|
$s3 = "status" ascii wide
|
||
|
$s4 = "success" ascii wide
|
||
|
$s5 = "sun.jnu.encoding" ascii wide
|
||
|
$s6 = "java.util.Base64" ascii wide
|
||
|
|
||
|
condition:
|
||
|
all of ($fn*) or
|
||
|
all of ($s*)
|
||
|
}
|