24 lines
952 B
Text
24 lines
952 B
Text
rule webshell_aspx_reGeorgTunnel : Webshell Commodity
|
|
{
|
|
meta:
|
|
author = "threatintel@volexity.com"
|
|
date = "2021-03-01"
|
|
description = "variation on reGeorgtunnel"
|
|
hash = "406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928"
|
|
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
|
|
reference = "https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx"
|
|
reference2 = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
|
|
|
|
strings:
|
|
$s1 = "System.Net.Sockets"
|
|
$s2 = "System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get"
|
|
$t1 = ".Split('|')"
|
|
$t2 = "Request.Headers.Get"
|
|
$t3 = ".Substring("
|
|
$t4 = "new Socket("
|
|
$t5 = "IPAddress ip;"
|
|
|
|
condition:
|
|
all of ($s*) or
|
|
all of ($t*)
|
|
}
|