50 lines
1.9 KiB
Text
50 lines
1.9 KiB
Text
/* Old webshell rule from THOR's signature set - donation to the community */
|
|
rule WEBSHELL_JSP_Nov21_1 {
|
|
meta:
|
|
description = "Detects JSP webshells"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://www.ic3.gov/Media/News/2021/211117-2.pdf"
|
|
date = "2021-11-23"
|
|
score = 70
|
|
id = "117eed28-c44e-5983-b4c7-b555fc06d923"
|
|
strings:
|
|
$x1 = "request.getParameter(\"pwd\")" ascii
|
|
$x2 = "excuteCmd(request.getParameter(" ascii
|
|
$x3 = "getRuntime().exec (request.getParameter(" ascii
|
|
$x4 = "private static final String PW = \"whoami\"" ascii
|
|
condition:
|
|
filesize < 400KB and 1 of them
|
|
}
|
|
|
|
rule EXPL_POC_SpringCore_0day_Indicators_Mar22_1 {
|
|
meta:
|
|
description = "Detects indicators found after SpringCore exploitation attempts and in the POC script"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://twitter.com/vxunderground/status/1509170582469943303"
|
|
date = "2022-03-30"
|
|
score = 70
|
|
id = "297e4b57-f831-56e0-a391-1ffbc9a4d438"
|
|
strings:
|
|
$x1 = "java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di"
|
|
$x2 = "?pwd=j&cmd=whoami"
|
|
$x3 = ".getParameter(%22pwd%22)"
|
|
$x4 = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7B"
|
|
condition:
|
|
1 of them
|
|
}
|
|
|
|
rule EXPL_POC_SpringCore_0day_Webshell_Mar22_1 {
|
|
meta:
|
|
description = "Detects webshell found after SpringCore exploitation attempts POC script"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://twitter.com/vxunderground/status/1509170582469943303"
|
|
date = "2022-03-30"
|
|
score = 70
|
|
id = "e7047c98-3c60-5211-9ad5-2bfdfb35d493"
|
|
strings:
|
|
$x1 = ".getInputStream(); int a = -1; byte[] b = new byte[2048];"
|
|
$x2 = "if(\"j\".equals(request.getParameter(\"pwd\")"
|
|
$x3 = ".getRuntime().exec(request.getParameter(\"cmd\")).getInputStream();"
|
|
condition:
|
|
filesize < 200KB and 1 of them
|
|
}
|