Sneed-Group/Sneed-Reactivity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Sneed-Reactivity/yara-Neo23x0/gen_webshells_ext_vars.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK 
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

103 lines
4 KiB
Text
Raw Blame History

/*
Webshell rules that use external variables for false positive filtering
*/
rule webshell_php_by_string_obfuscation : FILE {
meta:
description = "PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021/01/09"
modified = "2022-10-25"
hash = "e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc"
id = "be890bf6-de7e-588e-b5cd-72e8081d0b9c"
strings:
$opbs13 = "{\"_P\"./*-/*-*/\"OS\"./*-/*-*/\"T\"}" wide ascii
$opbs14 = "/*-/*-*/\"" wide ascii
$opbs16 = "'ev'.'al'" wide ascii
$opbs17 = "'e'.'val'" wide ascii
$opbs18 = "e'.'v'.'a'.'l" wide ascii
$opbs19 = "bas'.'e6'." wide ascii
$opbs20 = "ba'.'se6'." wide ascii
$opbs21 = "as'.'e'.'6'" wide ascii
$opbs22 = "gz'.'inf'." wide ascii
$opbs23 = "gz'.'un'.'c" wide ascii
$opbs24 = "e'.'co'.'d" wide ascii
$opbs25 = "cr\".\"eat" wide ascii
$opbs26 = "un\".\"ct" wide ascii
$opbs27 = "'c'.'h'.'r'" wide ascii
$opbs28 = "\"ht\".\"tp\".\":/\"" wide ascii
$opbs29 = "\"ht\".\"tp\".\"s:" wide ascii
$opbs31 = "'ev'.'al'" nocase wide ascii
$opbs32 = "eval/*" nocase wide ascii
$opbs33 = "eval(/*" nocase wide ascii
$opbs34 = "eval(\"/*" nocase wide ascii
$opbs36 = "assert/*" nocase wide ascii
$opbs37 = "assert(/*" nocase wide ascii
$opbs38 = "assert(\"/*" nocase wide ascii
$opbs40 = "'ass'.'ert'" nocase wide ascii
$opbs41 = "${'_'.$_}['_'](${'_'.$_}['__'])" wide ascii
$opbs44 = "'s'.'s'.'e'.'r'.'t'" nocase wide ascii
$opbs45 = "'P'.'O'.'S'.'T'" wide ascii
$opbs46 = "'G'.'E'.'T'" wide ascii
$opbs47 = "'R'.'E'.'Q'.'U'" wide ascii
$opbs48 = "se'.(32*2)" nocase
$opbs49 = "'s'.'t'.'r_'" nocase
$opbs50 = "'ro'.'t13'" nocase
$opbs51 = "c'.'od'.'e" nocase
$opbs53 = "e'. 128/2 .'_' .'d"
// move malicious code out of sight if line wrapping not enabled
$opbs54 = "<?php " //here I end
$opbs55 = "=chr(99).chr(104).chr(114);$_"
$opbs56 = "\\x47LOBAL"
$opbs57 = "pay\".\"load"
$opbs58 = "bas'.'e64"
$opbs59 = "dec'.'ode"
$opbs60 = "fla'.'te"
// rot13 of eval($_POST
$opbs70 = "riny($_CBFG["
$opbs71 = "riny($_TRG["
$opbs72 = "riny($_ERDHRFG["
$opbs73 = "eval(str_rot13("
$opbs74 = "\"p\".\"r\".\"e\".\"g\""
$opbs75 = "$_'.'GET"
$opbs76 = "'ev'.'al("
// eval( in hex
$opbs77 = "\\x65\\x76\\x61\\x6c\\x28" wide ascii nocase
//strings from private rule capa_php_old_safe
$php_short = "<?" wide ascii
// prevent xml and asp from hitting with the short tag
$no_xml1 = "<?xml version" nocase wide ascii
$no_xml2 = "<?xml-stylesheet" nocase wide ascii
$no_asp1 = "<%@LANGUAGE" nocase wide ascii
$no_asp2 = /<script language="(vb|jscript|c#)/ nocase wide ascii
$no_pdf = "<?xpacket"
// of course the new tags should also match
// already matched by "<?"
$php_new1 = /<\?=[^?]/ wide ascii
$php_new2 = "<?php" nocase wide ascii
$php_new3 = "<script language=\"php" nocase wide ascii
$fp1 = "NanoSpell TinyMCE Spellchecker for PHP" ascii fullword
condition:
filesize < 500KB and (
(
(
$php_short in (0..100) or
$php_short in (filesize-1000..filesize)
)
and not any of ( $no_* )
)
or any of ( $php_new* )
)
and any of ( $opbs* )
and not 1 of ($fp*)
and not filepath contains "\\Cache\\" /* generic cache e.g. for Chrome: \User Data\Default\Cache\ */
and not filepath contains "\\User Data\\Default\\Extensions\\" // chrome extensions
and not filepath contains "\\cache2\\" // FF cache
and not filepath contains "\\Microsoft\\Windows\\INetCache\\IE\\" // old IE
and not filepath contains "/com.apple.Safari/WebKitCache/"
and not filepath contains "\\Edge\\User Data\\" // some uncommon Edge path
}
Reference in a new issue View git blame Copy permalink