Antivirus Web Shell Detection
Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.
Sigma rule (View on GitHub)
1title: Antivirus Web Shell Detection
2id: fdf135a2-9241-4f96-a114-bb404948f736
3status: test
4description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.
5references:
6 - https://www.nextron-systems.com/?s=antivirus
7 - https://github.com/tennc/webshell
8 - https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
9 - https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
10 - https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
11 - https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
12 - https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
13 - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
14 - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
15 - https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection
16author: Florian Roth (Nextron Systems), Arnim Rupp
17date: 2018/09/09
18modified: 2023/02/03
19tags:
20 - attack.persistence
21 - attack.t1505.003
22logsource:
23 category: antivirus
24detection:
25 selection:
26 - Signature|startswith:
27 - 'PHP.'
28 - 'JSP.'
29 - 'ASP.'
30 - 'Perl.'
31 - 'VBS/Uxor' # looking for 'VBS/' would also find downloaders and droppers meant for desktops
32 - 'IIS/BackDoor'
33 - 'JAVA/Backdoor'
34 - 'Troj/ASP'
35 - 'Troj/PHP'
36 - 'Troj/JSP'
37 - Signature|contains:
38 - 'Webshell'
39 - 'Chopper'
40 - 'SinoChoper'
41 - 'ASPXSpy'
42 - 'Aspdoor'
43 - 'filebrowser'
44 - 'PHP_'
45 - 'JSP_'
46 - 'ASP_' # looking for 'VBS_' would also find downloaders and droppers meant for desktops
47 - 'PHP:'
48 - 'JSP:'
49 - 'ASP:'
50 - 'Perl:'
51 - 'PHP/'
52 - 'JSP/'
53 - 'ASP/'
54 - 'Perl/'
55 - 'PHPShell'
56 - 'Trojan.PHP'
57 - 'Trojan.ASP'
58 - 'Trojan.JSP'
59 - 'Trojan.VBS'
60 - 'PHP/Agent'
61 - 'ASP/Agent'
62 - 'JSP/Agent'
63 - 'VBS/Agent'
64 - 'Backdoor/PHP'
65 - 'Backdoor/JSP'
66 - 'Backdoor/ASP'
67 - 'Backdoor/VBS'
68 - 'Backdoor/Java'
69 - 'PHP.Agent'
70 - 'ASP.Agent'
71 - 'JSP.Agent'
72 - 'VBS.Agent'
73 - 'Backdoor.PHP'
74 - 'Backdoor.JSP'
75 - 'Backdoor.ASP'
76 - 'Backdoor.VBS'
77 - 'Backdoor.Java'
78 - 'PShlSpy'
79 - 'C99shell'
80 condition: selection
81falsepositives:
82 - Unlikely
83level: high
References
Related rules
- Potential Webshell Creation On Static Website
- Suspicious ASPX File Drop by Exchange
- Suspicious File Drop by Exchange
- MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit