The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Using YARA rules to detect webshell

Description: Attempts to find PHP webshell type malware in the system

What The Data Shows: report if the system has PHP webshell scripts in the system 

FROM yara
WHERE PATH LIKE 'c:\windows\temp\%%'
AND sigrule = '
description = "Web Shell - file PHP Shell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "a2f8fa4cce578fc9c06f8e674b9e63fd"
$s4 = "&nbsp;&nbsp;<?php echo buildUrl(\"<font color=\\\"navy\\\">["
$s6 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input"
$s9 = "if ( ( (isset($http_auth_user) ) && (isset($http_auth_pass)) ) && ( !isset("
2 of them

> Requirement: Please test all submissions using Live Query or Osquery before posting.


1 Comment
Carbon Black Employee
Status changed to: Under Review

@GerAbm01 I get the following error when I try your query:

YARA compile error: Compilation error 1

I removed the URL and it worked. I think maybe the slashes need to be escaped.