Query Exchange

 View Only
  • 1.  Using YARA rules to detect webshell

    Posted Jun 19, 2023 04:21 AM

    Description: Attempts to find PHP webshell type malware in the system

    What The Data Shows: report if the system has PHP webshell scripts in the system 

    SQL: SELECT *
    FROM yara
    WHERE PATH LIKE 'c:\windows\temp\%%'
    AND sigrule = 'https://raw.githubusercontent.com/Yara-Rules/rules/master/webshells/WShell_THOR_Webshells.yar
    {
    meta:
    description = "Web Shell - file PHP Shell.php"
    author = "Florian Roth"
    date = "2014/01/28"
    score = 70
    hash = "a2f8fa4cce578fc9c06f8e674b9e63fd"
    strings:
    $s4 = "&nbsp;&nbsp;<?php echo buildUrl(\"<font color=\\\"navy\\\">["
    $s6 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input"
    $s9 = "if ( ( (isset($http_auth_user) ) && (isset($http_auth_pass)) ) && ( !isset("
    condition:
    2 of them
    }';

    > Requirement: Please test all submissions using Live Query or Osquery before posting.

     


    #Community
    #Windows
    #ITHygiene


  • 2.  RE: Using YARA rules to detect webshell

    Broadcom Employee
    Posted Jun 21, 2023 10:38 PM

     I get the following error when I try your query:

    YARA compile error: Compilation error 1

    I removed the URL and it worked. I think maybe the slashes need to be escaped.