Sneed-Reactivity/yara-mikesxrs/Volexity/webshell_aspx_sportsball.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

25 lines
1.2 KiB
Text

rule webshell_aspx_sportsball : Webshell
{
meta:
author = "threatintel@volexity.com"
date = "2021-03-01"
description = "The SPORTSBALL webshell allows attackers to upload files or execute commands on the system."
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
hash = "2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a"
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
strings:
$uniq1 = "HttpCookie newcook = new HttpCookie(\"fqrspt\", HttpContext.Current.Request.Form"
$uniq2 = "ZN2aDAB4rXsszEvCLrzgcvQ4oi5J1TuiRULlQbYwldE="
$var1 = "Result.InnerText = string.Empty;"
$var2 = "newcook.Expires = DateTime.Now.AddDays("
$var3 = "System.Diagnostics.Process process = new System.Diagnostics.Process()"
$var4 = "process.StandardInput.WriteLine(HttpContext.Current.Request.Form[\""
$var5 = "else if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form[\""
$var6 = "<input type=\"submit\" value=\"Upload\" />"
condition:
any of ($uniq*) or
all of ($var*)
}