logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Using YARA rules to detect webshell

Status: Under Review Submitted by on ‎06-18-2023 09:20 PM

Description: Attempts to find PHP webshell type malware in the system

What The Data Shows: report if the system has PHP webshell scripts in the system 

SQL: SELECT *
FROM yara
WHERE PATH LIKE 'c:\windows\temp\%%'
AND sigrule = 'https://raw.githubusercontent.com/Yara-Rules/rules/master/webshells/WShell_THOR_Webshells.yar
{
meta:
description = "Web Shell - file PHP Shell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "a2f8fa4cce578fc9c06f8e674b9e63fd"
strings:
$s4 = "&nbsp;&nbsp;<?php echo buildUrl(\"<font color=\\\"navy\\\">["
$s6 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input"
$s9 = "if ( ( (isset($http_auth_user) ) && (isset($http_auth_pass)) ) && ( !isset("
condition:
2 of them
}';

> Requirement: Please test all submissions using Live Query or Osquery before posting.

 

1 Comment
jnelson
Carbon Black Employee
‎06-21-2023 03:38 PM
‎06-21-2023 03:38 PM
Status changed to: Under Review

@GerAbm01 I get the following error when I try your query:

YARA compile error: Compilation error 1

I removed the URL and it worked. I think maybe the slashes need to be escaped.

logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.