Antivirus Web Shell Detection

Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.

Sigma rule (View on GitHub)

 1title: Antivirus Web Shell Detection
 2id: fdf135a2-9241-4f96-a114-bb404948f736
 3status: test
 4description: |
 5    Detects a highly relevant Antivirus alert that reports a web shell.
 6    It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.    
 7references:
 8    - https://www.nextron-systems.com/?s=antivirus
 9    - https://github.com/tennc/webshell
10    - https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
11    - https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
12    - https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
13    - https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
14    - https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
15    - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
16    - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
17    - https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection
18author: Florian Roth (Nextron Systems), Arnim Rupp
19date: 2018-09-09
20modified: 2024-07-17
21tags:
22    - attack.persistence
23    - attack.t1505.003
24logsource:
25    category: antivirus
26detection:
27    selection:
28        - Signature|startswith:
29              - 'ASP.'
30              - 'IIS/BackDoor'
31              - 'JAVA/Backdoor'
32              - 'JSP.'
33              - 'Perl.'
34              - 'PHP.'
35              - 'Troj/ASP'
36              - 'Troj/JSP'
37              - 'Troj/PHP'
38              - 'VBS/Uxor' # looking for 'VBS/' would also find downloaders and droppers meant for desktops
39        - Signature|contains:
40              - 'ASP_' # looking for 'VBS_' would also find downloaders and droppers meant for desktops
41              - 'ASP:'
42              - 'ASP.Agent'
43              - 'ASP/'
44              - 'ASP/Agent'
45              - 'Aspdoor'
46              - 'ASPXSpy'
47              - 'Backdoor.ASP'
48              - 'Backdoor.Java'
49              - 'Backdoor.JSP'
50              - 'Backdoor.PHP'
51              - 'Backdoor.VBS'
52              - 'Backdoor/ASP'
53              - 'Backdoor/Java'
54              - 'Backdoor/JSP'
55              - 'Backdoor/PHP'
56              - 'Backdoor/VBS'
57              - 'C99shell'
58              - 'Chopper'
59              - 'filebrowser'
60              - 'JSP_'
61              - 'JSP:'
62              - 'JSP.Agent'
63              - 'JSP/'
64              - 'JSP/Agent'
65              - 'Perl:'
66              - 'Perl/'
67              - 'PHP_'
68              - 'PHP:'
69              - 'PHP.Agent'
70              - 'PHP/'
71              - 'PHP/Agent'
72              - 'PHPShell'
73              - 'PShlSpy'
74              - 'SinoChoper'
75              - 'Trojan.ASP'
76              - 'Trojan.JSP'
77              - 'Trojan.PHP'
78              - 'Trojan.VBS'
79              - 'VBS.Agent'
80              - 'VBS/Agent'
81              - 'Webshell'
82    condition: selection
83falsepositives:
84    - Unlikely
85level: high

References

Related rules

to-top