Antivirus Web Shell Detection
Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Sigma rule (View on GitHub)
1title: Antivirus Web Shell Detection
2id: fdf135a2-9241-4f96-a114-bb404948f736
3status: test
4description: |
5 Detects a highly relevant Antivirus alert that reports a web shell.
6 It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.
7 This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
8references:
9 - https://www.nextron-systems.com/?s=antivirus
10 - https://github.com/tennc/webshell
11 - https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
12 - https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
13 - https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
14 - https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
15 - https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
16 - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
17 - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
18 - https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection
19author: Florian Roth (Nextron Systems), Arnim Rupp
20date: 2018-09-09
21modified: 2024-11-02
22tags:
23 - attack.persistence
24 - attack.t1505.003
25logsource:
26 category: antivirus
27detection:
28 selection:
29 - Signature|startswith:
30 - 'ASP.'
31 - 'IIS/BackDoor'
32 - 'JAVA/Backdoor'
33 - 'JSP.'
34 - 'Perl.'
35 - 'PHP.'
36 - 'Troj/ASP'
37 - 'Troj/JSP'
38 - 'Troj/PHP'
39 - 'VBS/Uxor' # looking for 'VBS/' would also find downloader's and droppers meant for desktops
40 - Signature|contains:
41 - 'ASP_' # looking for 'VBS_' would also find downloader's and droppers meant for desktops
42 - 'ASP:'
43 - 'ASP.Agent'
44 - 'ASP/'
45 # - 'ASP/Agent'
46 - 'Aspdoor'
47 - 'ASPXSpy'
48 - 'Backdoor.ASP'
49 - 'Backdoor.Java'
50 - 'Backdoor.JSP'
51 - 'Backdoor.PHP'
52 - 'Backdoor.VBS'
53 - 'Backdoor/ASP'
54 - 'Backdoor/Java'
55 - 'Backdoor/JSP'
56 - 'Backdoor/PHP'
57 - 'Backdoor/VBS'
58 - 'C99shell'
59 - 'Chopper'
60 - 'filebrowser'
61 - 'JSP_'
62 - 'JSP:'
63 - 'JSP.Agent'
64 - 'JSP/'
65 # - 'JSP/Agent'
66 - 'Perl:'
67 - 'Perl/'
68 - 'PHP_'
69 - 'PHP:'
70 - 'PHP.Agent'
71 - 'PHP/'
72 # - 'PHP/Agent'
73 - 'PHPShell'
74 - 'PShlSpy'
75 - 'SinoChoper'
76 - 'Trojan.ASP'
77 - 'Trojan.JSP'
78 - 'Trojan.PHP'
79 - 'Trojan.VBS'
80 - 'VBS.Agent'
81 - 'VBS/Agent'
82 - 'Webshell'
83 condition: selection
84falsepositives:
85 - Unlikely
86level: high
References
-
by Florian Roth | Nov 2, 2024 We've updated our Antivirus Event Analysis Cheat Sheet to version 1.14.0. It includes updates in several sections Many new malware and hack tool signature names More i...
Read More -
This is a webshell open source project. Contribute to tennc/webshell development by creating an account on GitHub.
Read More -
-
-
-
-
-
-
-
Related rules
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
- Certificate Request Export to Exchange Webserver
- Chopper Webshell Process Pattern
- DEWMODE Webshell Access
- Exchange Set OabVirtualDirectory ExternalUrl Property