YARA
YARA rules for reGeorg
4 rules · scoped to tool · back to reGeorg
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
◈
YARA rules
4 of 4
direct
REGEORG
REGEORG_Tuneller_generic
view YARA rule
rule REGEORG_Tuneller_generic {
meta:
author = "Mandiant"
date = "2021-12-20"
date_modified = "2021-12-20"
hash = "ba22992ce835dadcd06bff4ab7b162f9"
reference = "https://www.mandiant.com/resources/unc3524-eye-spy-email"
id = "a87979b7-2732-5a32-b3f3-a815a58b6589"
strings:
$s1 = "System.Net.IPEndPoint"
$s2 = "Response.AddHeader"
$s3 = "Request.InputStream.Read"
$s4 = "Request.Headers.Get"
$s5 = "Response.Write"
$s6 = "System.Buffer.BlockCopy"
$s7 = "Response.BinaryWrite"
$s8 = "SocketException soex"
condition:
filesize < 1MB and 7 of them
}
direct
ASPX
WEBSHELL_ASPX_Regeorg_CSHARP
Webshell regeorg aspx c# version
view YARA rule
rule WEBSHELL_ASPX_Regeorg_CSHARP
{
meta:
description = "Webshell regeorg aspx c# version"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
reference = "https://github.com/sensepost/reGeorg"
hash = "c1f43b7cf46ba12cfc1357b17e4f5af408740af7ae70572c9cf988ac50260ce1"
author = "Arnim Rupp (https://github.com/ruppde)"
score = 75
date = "2021/01/11"
modified = "2023-07-05"
hash = "479c1e1f1c263abe339de8be99806c733da4e8c1"
hash = "38a1f1fc4e30c0b4ad6e7f0e1df5a92a7d05020b"
hash = "e54f1a3eab740201feda235835fc0aa2e0c44ba9"
hash = "aea0999c6e5952ec04bf9ee717469250cddf8a6f"
id = "0a53d368-5f1b-55b7-b08f-36b0f8c5612f"
strings:
$input_sa1 = "Request.QueryString.Get" fullword nocase wide ascii
$input_sa2 = "Request.Headers.Get" fullword nocase wide ascii
$sa1 = "AddressFamily.InterNetwork" fullword nocase wide ascii
$sa2 = "Response.AddHeader" fullword nocase wide ascii
$sa3 = "Request.InputStream.Read" nocase wide ascii
$sa4 = "Response.BinaryWrite" nocase wide ascii
$sa5 = "Socket" nocase wide ascii
$georg = "Response.Write(\"Georg says, 'All seems fine'\")"
//strings from private rule capa_asp
$tagasp_short1 = /<%[^"]/ wide ascii
// also looking for %> to reduce fp (yeah, short atom but seldom since special chars)
$tagasp_short2 = "%>" wide ascii
// classids for scripting host etc
$tagasp_classid1 = "72C24DD5-D70A-438B-8A42-98424B88AFB8" nocase wide ascii
$tagasp_classid2 = "F935DC22-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid3 = "093FF999-1EA0-4079-9525-9614C3504B74" nocase wide ascii
$tagasp_classid4 = "F935DC26-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid5 = "0D43FE01-F093-11CF-8940-00A0C9054228" nocase wide ascii
$tagasp_long10 = "<%@ " wide ascii
// <% eval
$tagasp_long11 = /<% \w/ nocase wide ascii
$tagasp_long12 = "<%ex" nocase wide ascii
$tagasp_long13 = "<%ev" nocase wide ascii
// <%@ LANGUAGE = VBScript.encode%>
// <%@ Language = "JScript" %>
// <%@ WebHandler Language="C#" class="Handler" %>
// <%@ WebService Language="C#" Class="Service" %>
// <%@Page Language="Jscript"%>
// <%@ Page Language = Jscript %>
// <%@PAGE LANGUAGE=JSCRIPT%>
// <%@ Page Language="Jscript" validateRequest="false" %>
// <%@ Page Language = Jscript %>
// <%@ Page Language="C#" %>
// <%@ Page Language="VB" ContentType="text/html" validaterequest="false" AspCompat="true" Debug="true" %>
// <script runat="server" language="JScript">
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <msxsl:script language="JScript" ...
$tagasp_long20 = /<(%|script|msxsl:script).{0,60}language="?(vb|jscript|c#)/ nocase wide ascii
$tagasp_long32 = /<script\s{1,30}runat=/ wide ascii
$tagasp_long33 = /<SCRIPT\s{1,30}RUNAT=/ wide ascii
// avoid hitting php
$php1 = "<?php"
$php2 = "<?="
// avoid hitting jsp
$jsp1 = "=\"java." wide ascii
$jsp2 = "=\"javax." wide ascii
$jsp3 = "java.lang." wide ascii
$jsp4 = "public" fullword wide ascii
$jsp5 = "throws" fullword wide ascii
$jsp6 = "getValue" fullword wide ascii
$jsp7 = "getBytes" fullword wide ascii
$perl1 = "PerlScript" fullword
condition:
filesize < 300KB and (
(
any of ( $tagasp_long* ) or
// TODO : yara_push_private_rules.py doesn't do private rules in private rules yet
any of ( $tagasp_classid* ) or
(
$tagasp_short1 and
$tagasp_short2 in ( filesize-100..filesize )
) or (
$tagasp_short2 and (
$tagasp_short1 in ( 0..1000 ) or
$tagasp_short1 in ( filesize-1000..filesize )
)
)
) and not (
(
any of ( $perl* ) or
$php1 at 0 or
$php2 at 0
) or (
( #jsp1 + #jsp2 + #jsp3 ) > 0 and ( #jsp4 + #jsp5 + #jsp6 + #jsp7 ) > 0
)
)
)
and
( $georg or
( all of ( $sa* ) and any of ( $input_sa* ) ) )
}
rule WEBSHELL_CSHARP_Generic
{
meta:
description = "Webshell in c#"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
hash = "b6721683aadc4b4eba4f081f2bc6bc57adfc0e378f6d80e2bfa0b1e3e57c85c7"
date = "2021/01/11"
modified = "2023-07-05"
hash = "4b365fc9ddc8b247a12f4648cd5c91ee65e33fae"
hash = "019eb61a6b5046502808fb5ab2925be65c0539b4"
hash = "620ee444517df8e28f95e4046cd7509ac86cd514"
hash = "a91320483df0178eb3cafea830c1bd94585fc896"
id = "6d38a6b0-b1d2-51b0-9239-319f1fea7cae"
strings:
$input_http = "Request." nocase wide ascii
$input_form1 = "<asp:" nocase wide ascii
$input_form2 = ".text" nocase wide ascii
$exec_proc1 = "new Process" nocase wide ascii
$exec_proc2 = "start(" nocase wide ascii
$exec_shell1 = "cmd.exe" nocase wide ascii
$exec_shell2 = "powershell.exe" nocase wide ascii
//strings from private rule capa_asp
$tagasp_short1 = /<%[^"]/ wide ascii
// also looking for %> to reduce fp (yeah, short atom but seldom since special chars)
$tagasp_short2 = "%>" wide ascii
// classids for scripting host etc
$tagasp_classid1 = "72C24DD5-D70A-438B-8A42-98424B88AFB8" nocase wide ascii
$tagasp_classid2 = "F935DC22-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid3 = "093FF999-1EA0-4079-9525-9614C3504B74" nocase wide ascii
$tagasp_classid4 = "F935DC26-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid5 = "0D43FE01-F093-11CF-8940-00A0C9054228" nocase wide ascii
$tagasp_long10 = "<%@ " wide ascii
// <% eval
$tagasp_long11 = /<% \w/ nocase wide ascii
$tagasp_long12 = "<%ex" nocase wide ascii
$tagasp_long13 = "<%ev" nocase wide ascii
// <%@ LANGUAGE = VBScript.encode%>
// <%@ Language = "JScript" %>
// <%@ WebHandler Language="C#" class="Handler" %>
// <%@ WebService Language="C#" Class="Service" %>
// <%@Page Language="Jscript"%>
// <%@ Page Language = Jscript %>
// <%@PAGE LANGUAGE=JSCRIPT%>
// <%@ Page Language="Jscript" validateRequest="false" %>
// <%@ Page Language = Jscript %>
// <%@ Page Language="C#" %>
// <%@ Page Language="VB" ContentType="text/html" validaterequest="false" AspCompat="true" Debug="true" %>
// <script runat="server" language="JScript">
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <msxsl:script language="JScript" ...
$tagasp_long20 = /<(%|script|msxsl:script).{0,60}language="?(vb|jscript|c#)/ nocase wide ascii
$tagasp_long32 = /<script\s{1,30}runat=/ wide ascii
$tagasp_long33 = /<SCRIPT\s{1,30}RUNAT=/ wide ascii
// avoid hitting php
$php1 = "<?php"
$php2 = "<?="
// avoid hitting jsp
$jsp1 = "=\"java." wide ascii
$jsp2 = "=\"javax." wide ascii
$jsp3 = "java.lang." wide ascii
$jsp4 = "public" fullword wide ascii
$jsp5 = "throws" fullword wide ascii
$jsp6 = "getValue" fullword wide ascii
$jsp7 = "getBytes" fullword wide ascii
$perl1 = "PerlScript" fullword
condition:
(
(
any of ( $tagasp_long* ) or
// TODO : yara_push_private_rules.py doesn't do private rules in private rules yet
any of ( $tagasp_classid* ) or
(
$tagasp_short1 and
$tagasp_short2 in ( filesize-100..filesize )
) or (
$tagasp_short2 and (
$tagasp_short1 in ( 0..1000 ) or
$tagasp_short1 in ( filesize-1000..filesize )
)
)
) and not (
(
any of ( $perl* ) or
$php1 at 0 or
$php2 at 0
) or (
( #jsp1 + #jsp2 + #jsp3 ) > 0 and ( #jsp4 + #jsp5 + #jsp6 + #jsp7 ) > 0
)
)
)
and filesize < 300KB and
( $input_http or all of ( $input_form* ) ) and all of ( $exec_proc* ) and any of ( $exec_shell* )
}
direct
JSP
WEBSHELL_JSP_ReGeorg
Webshell regeorg JSP version
view YARA rule
rule WEBSHELL_JSP_ReGeorg
{
meta:
description = "Webshell regeorg JSP version"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
reference = "https://github.com/sensepost/reGeorg"
hash = "6db49e43722080b5cd5f07e058a073ba5248b584"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021/01/24"
modified = "2024-12-09"
score = 75
hash = "650eaa21f4031d7da591ebb68e9fc5ce5c860689"
hash = "00c86bf6ce026ccfaac955840d18391fbff5c933"
hash = "6db49e43722080b5cd5f07e058a073ba5248b584"
hash = "9108a33058aa9a2fb6118b719c5b1318f33f0989"
id = "cbb90005-d8f8-5c64-85d1-29e466f48c25"
strings:
$jgeorg1 = "request" fullword wide ascii
$jgeorg2 = "getHeader" fullword wide ascii
$jgeorg3 = "X-CMD" fullword wide ascii
$jgeorg4 = "X-STATUS" fullword wide ascii
$jgeorg5 = "socket" fullword wide ascii
$jgeorg6 = "FORWARD" fullword wide ascii
//strings from private rule capa_jsp_safe
$cjsp_short1 = "<%" ascii wide
$cjsp_short2 = "%>" wide ascii
$cjsp_long1 = "<jsp:" ascii wide
$cjsp_long2 = /language=[\"']java[\"\']/ ascii wide
// JSF
$cjsp_long3 = "/jstl/core" ascii wide
$cjsp_long4 = "<%@p" nocase ascii wide
$cjsp_long5 = "<%@ " nocase ascii wide
$cjsp_long6 = "<% " ascii wide
$cjsp_long7 = "< %" ascii wide
condition:
filesize < 300KB and (
$cjsp_short1 at 0 or
any of ( $cjsp_long* ) or
($cjsp_short1 and $cjsp_short2 in ( filesize-100..filesize )) or
(
$cjsp_short2 and (
$cjsp_short1 in ( 0..1000 ) or
$cjsp_short1 in ( filesize-1000..filesize )
)
)
)
and all of ( $jgeorg* )
}
rule WEBSHELL_JSP_HTTP_Proxy
{
meta:
description = "Webshell JSP HTTP proxy"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
hash = "2f9b647660923c5262636a5344e2665512a947a4"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/01/24"
modified = "2024-12-09"
hash = "97c1e2bf7e769d3fc94ae2fc74ac895f669102c6"
hash = "2f9b647660923c5262636a5344e2665512a947a4"
id = "55be246e-30a8-52ed-bc5f-507e63bbfe16"
strings:
$jh1 = "OutputStream" fullword wide ascii
$jh2 = "InputStream" wide ascii
$jh3 = "BufferedReader" fullword wide ascii
$jh4 = "HttpRequest" fullword wide ascii
$jh5 = "openConnection" fullword wide ascii
$jh6 = "getParameter" fullword wide ascii
//strings from private rule capa_jsp_safe
$cjsp_short1 = "<%" ascii wide
$cjsp_short2 = "%>" wide ascii
$cjsp_long1 = "<jsp:" ascii wide
$cjsp_long2 = /language=[\"']java[\"\']/ ascii wide
// JSF
$cjsp_long3 = "/jstl/core" ascii wide
$cjsp_long4 = "<%@p" nocase ascii wide
$cjsp_long5 = "<%@ " nocase ascii wide
$cjsp_long6 = "<% " ascii wide
$cjsp_long7 = "< %" ascii wide
condition:
filesize < 10KB and (
$cjsp_short1 at 0 or
any of ( $cjsp_long* ) or
($cjsp_short1 and $cjsp_short2 in ( filesize-100..filesize )) or
(
$cjsp_short2 and (
$cjsp_short1 in ( 0..1000 ) or
$cjsp_short1 in ( filesize-1000..filesize )
)
)
)
and all of ( $jh* )
}
rule WEBSHELL_JSP_Writer_Nano
{
meta:
description = "JSP file writer"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/01/24"
modified = "2024-12-09"
hash = "ac91e5b9b9dcd373eaa9360a51aa661481ab9429"
hash = "c718c885b5d6e29161ee8ea0acadb6e53c556513"
hash = "9f1df0249a6a491cdd5df598d83307338daa4c43"
hash = "5e241d9d3a045d3ade7b6ff6af6c57b149fa356e"
id = "422a18f2-d6d4-5b42-be15-1eafe44e01cf"
strings:
// writting file to disk
$payload1 = ".write" wide ascii
$payload2 = "getBytes" fullword wide ascii
$payload3 = ".decodeBuffer" wide ascii
$payload4 = "FileOutputStream" fullword wide ascii
// writting using java logging, e.g 9f1df0249a6a491cdd5df598d83307338daa4c43
$logger1 = "getLogger" fullword ascii wide
$logger2 = "FileHandler" fullword ascii wide
$logger3 = "addHandler" fullword ascii wide
//strings from private rule capa_jsp_input
// request.getParameter
$input1 = "getParameter" fullword ascii wide
// request.getHeaders
$input2 = "getHeaders" fullword ascii wide
$input3 = "getInputStream" fullword ascii wide
$input4 = "getReader" fullword ascii wide
$req1 = "request" fullword ascii wide
$req2 = "HttpServletRequest" fullword ascii wide
$req3 = "getRequest" fullword ascii wide
$jw_sus1 = /getParameter\("."\)/ ascii wide // one char param
$jw_sus4 = "yoco" fullword ascii wide // webshell coder
//strings from private rule capa_jsp_safe
$cjsp_short1 = "<%" ascii wide
$cjsp_short2 = "%>" wide ascii
$cjsp_long1 = "<jsp:" ascii wide
$cjsp_long2 = /language=[\"']java[\"\']/ ascii wide
// JSF
$cjsp_long3 = "/jstl/core" ascii wide
$cjsp_long4 = "<%@p" nocase ascii wide
$cjsp_long5 = "<%@ " nocase ascii wide
$cjsp_long6 = "<% " ascii wide
$cjsp_long7 = "< %" ascii wide
condition:
//any of them or
(
any of ( $input* ) and
any of ( $req* )
) and (
filesize < 200 or
(
filesize < 1000 and
any of ( $jw_sus* )
)
)
and (
$cjsp_short1 at 0 or
any of ( $cjsp_long* ) or
($cjsp_short1 and $cjsp_short2 in ( filesize-100..filesize )) or
(
$cjsp_short2 and (
$cjsp_short1 in ( 0..1000 ) or
$cjsp_short1 in ( filesize-1000..filesize )
)
)
)
and (
2 of ( $payload* ) or
all of ( $logger* )
)
}
rule EXT_WEBSHELL_JSP_Generic_Tiny
{
meta:
description = "Generic JSP webshell tiny"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/01/07"
modified = "2024-12-16"
hash = "8fd343db0442136e693e745d7af1018a99b042af"
hash = "87c3ac9b75a72187e8bc6c61f50659435dbdc4fde6ed720cebb93881ba5989d8"
hash = "1aa6af726137bf261849c05d18d0a630d95530588832aadd5101af28acc034b5"
id = "fad14524-de44-52ea-95e6-3e5de3138926"
strings:
$payload1 = "ProcessBuilder" fullword wide ascii
$payload2 = "URLClassLoader" fullword wide ascii
// Runtime.getRuntime().exec(
$payload_rt1 = "Runtime" fullword wide ascii
$payload_rt2 = "getRuntime" fullword wide ascii
$payload_rt3 = "exec" fullword wide ascii
$jg_sus1 = "xe /c" ascii wide // of cmd.exe /c
$jg_sus2 = /getParameter\("."\)/ ascii wide // one char param
$jg_sus3 = "</pre>" ascii wide // webshells like fixed font wide
$jg_sus4 = "BASE64Decoder" fullword ascii wide
//strings from private rule capa_jsp_safe
$cjsp_short1 = "<%" ascii wide
$cjsp_short2 = "%>" wide ascii
$cjsp_long1 = "<jsp:" ascii wide
$cjsp_long2 = /language=[\"']java[\"\']/ ascii wide
// JSF
$cjsp_long3 = "/jstl/core" ascii wide
$cjsp_long4 = "<%@p" nocase ascii wide
$cjsp_long5 = "<%@ " nocase ascii wide
$cjsp_long6 = "<% " ascii wide
$cjsp_long7 = "< %" ascii wide
//strings from private rule capa_jsp_input
// request.getParameter
$input1 = "getParameter" fullword ascii wide
// request.getHeaders
$input2 = "getHeaders" fullword ascii wide
$input3 = "getInputStream" fullword ascii wide
$input4 = "getReader" fullword ascii wide
$req1 = "request" fullword ascii wide
$req2 = "HttpServletRequest" fullword ascii wide
$req3 = "getRequest" fullword ascii wide
// no web input but fixed command to create reverse shell
$fixed_cmd1 = "bash -i >& /dev/" ascii wide
$fp1 = "Find Security Bugs is a plugin that aims to help security audit.</Details>"
condition:
//any of them or
(
(
filesize < 1000 and
any of ( $jg_sus* )
) or
filesize < 250
) and (
$cjsp_short1 at 0 or
any of ( $cjsp_long* ) or
($cjsp_short1 and $cjsp_short2 in ( filesize-100..filesize )) or
(
$cjsp_short2 and (
$cjsp_short1 in ( 0..1000 ) or
$cjsp_short1 in ( filesize-1000..filesize )
)
)
)
and (
(
any of ( $input* ) and
any of ( $req* )
) or (
any of ( $fixed_cmd* )
)
)
and
( 1 of ( $payload* ) or all of ( $payload_rt* ) )
and not any of ( $fp* )
}
rule WEBSHELL_JSP_Generic
{
meta:
description = "Generic JSP webshell"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/01/07"
modified = "2025-08-18"
hash = "4762f36ca01fb9cda2ab559623d2206f401fc0b1"
hash = "bdaf9279b3d9e07e955d0ce706d9c42e4bdf9aa1"
hash = "ee9408eb923f2d16f606a5aaac7e16b009797a07"
id = "7535ade8-fc65-5558-a72c-cc14c3306390"
strings:
$susp0 = "cmd" fullword nocase ascii wide
$susp1 = "command" fullword nocase ascii wide
$susp2 = "shell" fullword nocase ascii wide
$susp3 = "download" fullword nocase ascii wide
$susp4 = "upload" fullword nocase ascii wide
$susp5 = "Execute" fullword nocase ascii wide
$susp6 = "\"pwd\"" ascii wide
$susp7 = "\"</pre>" ascii wide
$susp8 = /\\u00\d\d\\u00\d\d\\u00\d\d\\u00\d\d/ ascii wide
$susp9 = "*/\\u00" ascii wide // perfect match of 2 obfuscation methods: /**/\u00xx :)
$fp1 = "command = \"cmd.exe /c set\";"
//strings from private rule capa_bin_files
$dex1 = "dex\n0"
$dex2 = "dey\n0"
$pack = { 50 41 43 4b 00 00 00 02 00 }
//strings from private rule capa_jsp_safe
$cjsp_short1 = "<%" ascii wide
$cjsp_short2 = "%>" wide ascii
$cjsp_long1 = "<jsp:" ascii wide
$cjsp_long2 = /language=[\"']java[\"\']/ ascii wide
// JSF
$cjsp_long3 = "/jstl/core" ascii wide
$cjsp_long4 = "<%@p" nocase ascii wide
$cjsp_long5 = "<%@ " nocase ascii wide
$cjsp_long6 = "<% " ascii wide
$cjsp_long7 = "< %" ascii wide
//strings from private rule capa_jsp_input
// request.getParameter
$input1 = "getParameter" fullword ascii wide
// request.getHeaders
$input2 = "getHeaders" fullword ascii wide
$input3 = "getInputStream" fullword ascii wide
$input4 = "getReader" fullword ascii wide
$req1 = "request" fullword ascii wide
$req2 = "HttpServletRequest" fullword ascii wide
$req3 = "getRequest" fullword ascii wide
//strings from private rule capa_jsp_payload
$payload1 = "ProcessBuilder" fullword ascii wide
$payload2 = "processCmd" fullword ascii wide
// Runtime.getRuntime().exec(
$rt_payload1 = "Runtime" fullword ascii wide
$rt_payload2 = "getRuntime" fullword ascii wide
$rt_payload3 = "exec" fullword ascii wide
condition:
filesize < 300KB and not (
uint16(0) == 0x5a4d or
$dex1 at 0 or
$dex2 at 0 or
$pack at 0 or
// fp on jar with zero compression
uint16(0) == 0x4b50
)
and (
$cjsp_short1 at 0 or
any of ( $cjsp_long* ) or
($cjsp_short1 and $cjsp_short2 in ( filesize-100..filesize )) or
(
$cjsp_short2 and (
$cjsp_short1 in ( 0..1000 ) or
$cjsp_short1 in ( filesize-1000..filesize )
)
)
)
and (
any of ( $input* ) and
any of ( $req* )
)
and (
1 of ( $payload* ) or
all of ( $rt_payload* )
)
and not any of ( $fp* ) and any of ( $susp* )
}
rule WEBSHELL_JSP_Generic_Base64
{
meta:
description = "Generic JSP webshell with base64 encoded payload"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/01/24"
modified = "2025-08-18"
hash = "8b5fe53f8833df3657ae2eeafb4fd101c05f0db0"
hash = "1b916afdd415dfa4e77cecf47321fd676ba2184d"
id = "2eabbad2-7d10-573a-9120-b9b763fa2352"
strings:
// Runtime
$one1 = "SdW50aW1l" wide ascii
$one2 = "J1bnRpbW" wide ascii
$one3 = "UnVudGltZ" wide ascii
$one4 = "IAdQBuAHQAaQBtAGUA" wide ascii
$one5 = "SAHUAbgB0AGkAbQBlA" wide ascii
$one6 = "UgB1AG4AdABpAG0AZQ" wide ascii
// exec
$two1 = "leGVj" wide ascii
$two2 = "V4ZW" wide ascii
$two3 = "ZXhlY" wide ascii
$two4 = "UAeABlAGMA" wide ascii
$two5 = "lAHgAZQBjA" wide ascii
$two6 = "ZQB4AGUAYw" wide ascii
// ScriptEngineFactory
$three1 = "TY3JpcHRFbmdpbmVGYWN0b3J5" wide ascii
$three2 = "NjcmlwdEVuZ2luZUZhY3Rvcn" wide ascii
$three3 = "U2NyaXB0RW5naW5lRmFjdG9ye" wide ascii
$three4 = "MAYwByAGkAcAB0AEUAbgBnAGkAbgBlAEYAYQBjAHQAbwByAHkA" wide ascii
$three5 = "TAGMAcgBpAHAAdABFAG4AZwBpAG4AZQBGAGEAYwB0AG8AcgB5A" wide ascii
$three6 = "UwBjAHIAaQBwAHQARQBuAGcAaQBuAGUARgBhAGMAdABvAHIAeQ" wide ascii
//strings from private rule capa_jsp_safe
$cjsp_short1 = "<%" ascii wide
$cjsp_short2 = "%>" wide ascii
$cjsp_long1 = "<jsp:" ascii wide
$cjsp_long2 = /language=[\"']java[\"\']/ ascii wide
// JSF
$cjsp_long3 = "/jstl/core" ascii wide
$cjsp_long4 = "<%@p" nocase ascii wide
$cjsp_long5 = "<%@ " nocase ascii wide
$cjsp_long6 = "<% " ascii wide
$cjsp_long7 = "< %" ascii wide
//strings from private rule capa_bin_files
$dex1 = "dex\n0"
$dex2 = "dey\n0"
$pack = { 50 41 43 4b 00 00 00 02 00 }
condition:
(
$cjsp_short1 at 0 or
any of ( $cjsp_long* ) or
($cjsp_short1 and $cjsp_short2 in ( filesize-100..filesize )) or
(
$cjsp_short2 and (
$cjsp_short1 in ( 0..1000 ) or
$cjsp_short1 in ( filesize-1000..filesize )
)
)
)
and not (
uint16(0) == 0x5a4d or
$dex1 at 0 or
$dex2 at 0 or
$pack at 0 or
// fp on jar with zero compression
uint16(0) == 0x4b50
)
and filesize < 300KB and
( any of ( $one* ) and any of ( $two* ) or any of ( $three* ) )
}
rule WEBSHELL_JSP_Generic_ProcessBuilder
{
meta:
description = "Generic JSP webshell which uses processbuilder to execute user input"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/01/07"
modified = "2023-04-05"
hash = "82198670ac2072cd5c2853d59dcd0f8dfcc28923"
hash = "c05a520d96e4ebf9eb5c73fc0fa446ceb5caf343"
hash = "347a55c174ee39ec912d9107e971d740f3208d53af43ea480f502d177106bbe8"
hash = "d0ba29b646274e8cda5be1b940a38d248880d9e2bba11d994d4392c80d6b65bd"
id = "2a7c5f44-24a1-5f43-996e-945c209b79b1"
strings:
$exec = "ProcessBuilder" fullword wide ascii
$start = "start" fullword wide ascii
//strings from private rule capa_jsp_input
// request.getParameter
$input1 = "getParameter" fullword ascii wide
// request.getHeaders
$input2 = "getHeaders" fullword ascii wide
$input3 = "getInputStream" fullword ascii wide
$input4 = "getReader" fullword ascii wide
$req1 = "request" fullword ascii wide
$req2 = "HttpServletRequest" fullword ascii wide
$req3 = "getRequest" fullword ascii wide
condition:
filesize < 2000 and (
any of ( $input* ) and
any of ( $req* )
)
and $exec and $start
}
rule WEBSHELL_JSP_Generic_Reflection
{
meta:
description = "Generic JSP webshell which uses reflection to execute user input"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/01/07"
modified = "2024-12-09"
hash = "62e6c6065b5ca45819c1fc049518c81d7d165744"
hash = "bf0ff88cbb72c719a291c722ae3115b91748d5c4920afe7a00a0d921d562e188"
id = "806ffc8b-1dc8-5e28-ae94-12ad3fee18cd"
strings:
$ws_exec = "invoke" fullword wide ascii
$ws_class = "Class" fullword wide ascii
$fp1 = "SOAPConnection"
$fp2 = "/CORBA/"
//strings from private rule capa_jsp_safe
$cjsp_short1 = "<%" ascii wide
$cjsp_short2 = "%>" wide ascii
$cjsp_long1 = "<jsp:" ascii wide
$cjsp_long2 = /language=[\"']java[\"\']/ ascii wide
// JSF
$cjsp_long3 = "/jstl/core" ascii wide
$cjsp_long4 = "<%@p" nocase ascii wide
$cjsp_long5 = "<%@ " nocase ascii wide
$cjsp_long6 = "<% " ascii wide
$cjsp_long7 = "< %" ascii wide
//strings from private rule capa_jsp_input
// request.getParameter
$input1 = "getParameter" fullword ascii wide
// request.getHeaders
$input2 = "getHeaders" fullword ascii wide
$input3 = "getInputStream" fullword ascii wide
$input4 = "getReader" fullword ascii wide
$req1 = "request" fullword ascii wide
$req2 = "HttpServletRequest" fullword ascii wide
$req3 = "getRequest" fullword ascii wide
$cj_encoded1 = "\"java.util.Base64$Decoder\"" ascii wide
condition:
//any of them or
all of ( $ws_* ) and (
$cjsp_short1 at 0 or
any of ( $cjsp_long* ) or
($cjsp_short1 and $cjsp_short2 in ( filesize-100..filesize )) or
(
$cjsp_short2 and (
$cjsp_short1 in ( 0..1000 ) or
$cjsp_short1 in ( filesize-1000..filesize )
)
)
)
and not any of ( $fp* ) and
(
// either some kind of code input from the a web request ...
filesize < 10KB and
(
any of ( $input* ) and
any of ( $req* )
)
or
(
// ... or some encoded payload (which might get code input from a web request)
filesize < 30KB and
any of ( $cj_encoded* ) and
// base64 :
// ignore first and last 500bytes because they usually contain code for decoding and executing
math.entropy(500, filesize-500) >= 5.5 and
// encoded text has a higher mean than text or code because it's missing the spaces and special chars with the low numbers
math.mean(500, filesize-500) > 80 and
// deviation of base64 is ~20 according to CyberChef_v9.21.0.html#recipe=Generate_Lorem_Ipsum(3,'Paragraphs')To_Base64('A-Za-z0-9%2B/%3D')To_Charcode('Space',10)Standard_Deviation('Space')
// lets take a bit more because it might not be pure base64 also include some xor, shift, replacement, ...
// 89 is the mean of the base64 chars
math.deviation(500, filesize-500, 89.0) < 23
)
)
}
rule WEBSHELL_JSP_Generic_Classloader
{
meta:
description = "Generic JSP webshell which uses classloader to execute user input"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
hash = "6b546e78cc7821b63192bb8e087c133e8702a377d17baaeb64b13f0dd61e2347"
date = "2021/01/07"
modified = "2024-12-09"
hash = "f3a7e28e1c38fa5d37811bdda1d6b0893ab876023d3bd696747a35c04141dcf0"
hash = "8ea2a25344e6094fa82dfc097bbec5f1675f6058f2b7560deb4390bcbce5a0e7"
hash = "b9ea1e9f91c70160ee29151aa35f23c236d220c72709b2b75123e6fa1da5c86c"
hash = "80211c97f5b5cd6c3ab23ae51003fd73409d273727ba502d052f6c2bd07046d6"
hash = "8e544a5f0c242d1f7be503e045738369405d39731fcd553a38b568e0889af1f2"
id = "037e6b24-9faf-569b-bb52-dbe671ab2e87"
strings:
$exec = "extends ClassLoader" wide ascii
$class = "defineClass" fullword wide ascii
//strings from private rule capa_jsp_safe
$cjsp_short1 = "<%" ascii wide
$cjsp_short2 = "%>" wide ascii
$cjsp_long1 = "<jsp:" ascii wide
$cjsp_long2 = /language=[\"']java[\"\']/ ascii wide
// JSF
$cjsp_long3 = "/jstl/core" ascii wide
$cjsp_long4 = "<%@p" nocase ascii wide
$cjsp_long5 = "<%@ " nocase ascii wide
$cjsp_long6 = "<% " ascii wide
$cjsp_long7 = "< %" ascii wide
//strings from private rule capa_jsp_input
// request.getParameter
$input1 = "getParameter" fullword ascii wide
// request.getHeaders
$input2 = "getHeaders" fullword ascii wide
$input3 = "getInputStream" fullword ascii wide
$input4 = "getReader" fullword ascii wide
$req1 = "request" fullword ascii wide
$req2 = "HttpServletRequest" fullword ascii wide
$req3 = "getRequest" fullword ascii wide
condition:
//any of them or
(
(
$cjsp_short1 at 0 or
any of ( $cjsp_long* ) or
($cjsp_short1 and $cjsp_short2 in ( filesize-100..filesize )) or
(
$cjsp_short2 and (
$cjsp_short1 in ( 0..1000 ) or
$cjsp_short1 in ( filesize-1000..filesize )
)
)
)
and (
any of ( $input* ) and
any of ( $req* )
)
and $exec and $class
) and
(
filesize < 10KB or
(
filesize < 50KB and
(
// filled with same characters
math.entropy(500, filesize-500) <= 1 or
// filled with random garbage
math.entropy(500, filesize-500) >= 7.7
)
)
)
}
rule WEBSHELL_JSP_Generic_Encoded_Shell
{
meta:
description = "Generic JSP webshell which contains cmd or /bin/bash encoded in ascii ord"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/01/07"
modified = "2023-07-05"
hash = "3eecc354390d60878afaa67a20b0802ce5805f3a9bb34e74dd8c363e3ca0ea5c"
hash = "f6c2112e3a25ec610b517ff481675b2ce893cb9f"
hash = "62e6c6065b5ca45819c1fc049518c81d7d165744"
id = "359949d7-1793-5e13-9fdc-fe995ae12117"
strings:
$sj0 = /\{ ?47, 98, 105, 110, 47, 98, 97, 115, 104/ wide ascii
$sj1 = /\{ ?99, 109, 100}/ wide ascii
$sj2 = /\{ ?99, 109, 100, 46, 101, 120, 101/ wide ascii
$sj3 = /\{ ?47, 98, 105, 110, 47, 98, 97/ wide ascii
$sj4 = /\{ ?106, 97, 118, 97, 46, 108, 97, 110/ wide ascii
$sj5 = /\{ ?101, 120, 101, 99 }/ wide ascii
$sj6 = /\{ ?103, 101, 116, 82, 117, 110/ wide ascii
condition:
filesize <300KB and any of ($sj*)
}
rule WEBSHELL_JSP_NetSpy
{
meta:
description = "JSP netspy webshell"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/01/24"
modified = "2024-12-09"
hash = "94d1aaabde8ff9b4b8f394dc68caebf981c86587"
hash = "3870b31f26975a7cb424eab6521fc9bffc2af580"
id = "41f5c171-878d-579f-811d-91d74f7e3e24"
strings:
$scan1 = "scan" nocase wide ascii
$scan2 = "port" nocase wide ascii
$scan3 = "web" fullword nocase wide ascii
$scan4 = "proxy" fullword nocase wide ascii
$scan5 = "http" fullword nocase wide ascii
$scan6 = "https" fullword nocase wide ascii
$write1 = "os.write" fullword wide ascii
$write2 = "FileOutputStream" fullword wide ascii
$write3 = "PrintWriter" fullword wide ascii
$http = "java.net.HttpURLConnection" fullword wide ascii
//strings from private rule capa_jsp_safe
$cjsp_short1 = "<%" ascii wide
$cjsp_short2 = "%>" wide ascii
$cjsp_long1 = "<jsp:" ascii wide
$cjsp_long2 = /language=[\"']java[\"\']/ ascii wide
// JSF
$cjsp_long3 = "/jstl/core" ascii wide
$cjsp_long4 = "<%@p" nocase ascii wide
$cjsp_long5 = "<%@ " nocase ascii wide
$cjsp_long6 = "<% " ascii wide
$cjsp_long7 = "< %" ascii wide
//strings from private rule capa_jsp_input
// request.getParameter
$input1 = "getParameter" fullword ascii wide
// request.getHeaders
$input2 = "getHeaders" fullword ascii wide
$input3 = "getInputStream" fullword ascii wide
$input4 = "getReader" fullword ascii wide
$req1 = "request" fullword ascii wide
$req2 = "HttpServletRequest" fullword ascii wide
$req3 = "getRequest" fullword ascii wide
condition:
filesize < 30KB and (
$cjsp_short1 at 0 or
any of ( $cjsp_long* ) or
($cjsp_short1 and $cjsp_short2 in ( filesize-100..filesize )) or
(
$cjsp_short2 and (
$cjsp_short1 in ( 0..1000 ) or
$cjsp_short1 in ( filesize-1000..filesize )
)
)
)
and (
any of ( $input* ) and
any of ( $req* )
)
and 4 of ( $scan* ) and 1 of ( $write* ) and $http
}
rule WEBSHELL_JSP_By_String
{
meta:
description = "JSP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions."
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/01/09"
modified = "2025-08-18"
hash = "e9060aa2caf96be49e3b6f490d08b8a996c4b084"
hash = "4c2464503237beba54f66f4a099e7e75028707aa"
hash = "06b42d4707e7326aff402ecbb585884863c6351a"
hash = "dada47c052ec7fcf11d5cfb25693bc300d3df87de182a254f9b66c7c2c63bf2e"
hash = "f9f6c696c1f90df6421cd9878a1dec51a62e91b4b4f7eac4920399cb39bc3139"
hash = "f1d8360dc92544cce301949e23aad6eb49049bacf9b7f54c24f89f7f02d214bb"
hash = "1d1f26b1925a9d0caca3fdd8116629bbcf69f37f751a532b7096a1e37f4f0076"
hash = "850f998753fde301d7c688b4eca784a045130039512cf51292fcb678187c560b"
id = "8d64e40b-5583-5887-afe1-b926d9880913"
strings:
$jstring1 = "<title>Boot Shell</title>" wide ascii
$jstring2 = "String oraPWD=\"" wide ascii
$jstring3 = "Owned by Chinese Hackers!" wide ascii
$jstring4 = "AntSword JSP" wide ascii
$jstring5 = "JSP Webshell</" wide ascii
$jstring6 = "motoME722remind2012" wide ascii
$jstring7 = "EC(getFromBase64(toStringHex(request.getParameter(\"password" wide ascii
$jstring8 = "http://jmmm.com/web/index.jsp" wide ascii
$jstring9 = "list.jsp = Directory & File View" wide ascii
$jstring10 = "jdbcRowSet.setDataSourceName(request.getParameter(" wide ascii
$jstring11 = "Mr.Un1k0d3r RingZer0 Team" wide ascii
$jstring12 = "MiniWebCmdShell" fullword wide ascii
$jstring13 = "pwnshell.jsp" fullword wide ascii
$jstring14 = "session set <key> <value> [class]<br>" wide ascii
$jstring15 = "Runtime.getRuntime().exec(request.getParameter(" nocase wide ascii
$jstring16 = "GIF98a<%@page" wide ascii
$jstring17 = "Tas9er" fullword wide ascii
$jstring18 = "uu0028\\u" wide ascii //obfuscated /
$jstring19 = "uu0065\\u" wide ascii //obfuscated e
$jstring20 = "uu0073\\u" wide ascii //obfuscated s
$jstring21 = /\\uuu{0,50}00/ wide ascii //obfuscated via javas unlimited amount of u in \uuuuuu
$jstring22 = /[\w\.]\\u(FFFB|FEFF|FFF9|FFFA|200C|202E|202D)[\w\.]/ wide ascii // java ignores the unicode Interlinear Annotation Terminator inbetween any command
$jstring23 = "\"e45e329feb5d925b\"" wide ascii
$jstring24 = "u<![CDATA[n" wide ascii
//strings from private rule capa_jsp_safe
$cjsp_short1 = "<%" ascii wide
$cjsp_short2 = "%>" wide ascii
$cjsp_long1 = "<jsp:" ascii wide
$cjsp_long2 = /language=[\"']java[\"\']/ ascii wide
// JSF
$cjsp_long3 = "/jstl/core" ascii wide
$cjsp_long4 = "<%@p" nocase ascii wide
$cjsp_long5 = "<%@ " nocase ascii wide
$cjsp_long6 = "<% " ascii wide
$cjsp_long7 = "< %" ascii wide
//strings from private rule capa_bin_files
$dex1 = "dex\n0"
$dex2 = "dey\n0"
$pack = { 50 41 43 4b 00 00 00 02 00 }
condition:
//any of them or
not (
uint16(0) == 0x5a4d or
$dex1 at 0 or
$dex2 at 0 or
$pack at 0 or
// fp on jar with zero compression
uint16(0) == 0x4b50
) and
(
(
filesize < 100KB and
(
$cjsp_short1 at 0 or
any of ( $cjsp_long* ) or
($cjsp_short1 and $cjsp_short2 in ( filesize-100..filesize )) or
(
$cjsp_short2 and (
$cjsp_short1 in ( 0..1000 ) or
$cjsp_short1 in ( filesize-1000..filesize )
)
)
)
and any of ( $jstring* )
) or (
filesize < 500KB and
(
#jstring21 > 20 or
$jstring18 or
$jstring19 or
$jstring20
)
)
)
}
rule WEBSHELL_JSP_Input_Upload_Write
{
meta:
description = "JSP uploader which gets input, writes files and contains \"upload\""
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
score = 75
date = "2021/01/24"
modified = "2024-12-09"
hash = "ef98ca135dfb9dcdd2f730b18e883adf50c4ab82"
hash = "583231786bc1d0ecca7d8d2b083804736a3f0a32"
hash = "19eca79163259d80375ebebbc440b9545163e6a3"
id = "bbf26edd-88b7-5ec5-a16e-d96a086dcd19"
strings:
$upload = "upload" nocase wide ascii
$write1 = "os.write" fullword wide ascii
$write2 = "FileOutputStream" fullword wide ascii
//strings from private rule capa_jsp_safe
$cjsp_short1 = "<%" ascii wide
$cjsp_short2 = "%>" wide ascii
$cjsp_long1 = "<jsp:" ascii wide
$cjsp_long2 = /language=[\"']java[\"\']/ ascii wide
// JSF
$cjsp_long3 = "/jstl/core" ascii wide
$cjsp_long4 = "<%@p" nocase ascii wide
$cjsp_long5 = "<%@ " nocase ascii wide
$cjsp_long6 = "<% " ascii wide
$cjsp_long7 = "< %" ascii wide
//strings from private rule capa_jsp_input
// request.getParameter
$input1 = "getParameter" fullword ascii wide
// request.getHeaders
$input2 = "getHeaders" fullword ascii wide
$input3 = "getInputStream" fullword ascii wide
$input4 = "getReader" fullword ascii wide
$req1 = "request" fullword ascii wide
$req2 = "HttpServletRequest" fullword ascii wide
$req3 = "getRequest" fullword ascii wide
condition:
filesize < 10KB and (
$cjsp_short1 at 0 or
any of ( $cjsp_long* ) or
($cjsp_short1 and $cjsp_short2 in ( filesize-100..filesize )) or
(
$cjsp_short2 and (
$cjsp_short1 in ( 0..1000 ) or
$cjsp_short1 in ( filesize-1000..filesize )
)
)
)
and (
any of ( $input* ) and
any of ( $req* )
)
and $upload and 1 of ( $write* )
}
rule WEBSHELL_Generic_OS_Strings : FILE {
meta:
description = "typical webshell strings"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
date = "2021/01/12"
modified = "2024-12-09"
score = 50
hash = "d5bfe40283a28917fcda0cefd2af301f9a7ecdad"
hash = "fd45a72bda0a38d5ad81371d68d206035cb71a14"
hash = "b4544b119f919d8cbf40ca2c4a7ab5c1a4da73a3"
hash = "569259aafe06ba3cef9e775ee6d142fed6edff5f"
hash = "48909d9f4332840b4e04b86f9723d7427e33ac67"
hash = "0353ae68b12b8f6b74794d3273967b530d0d526f"
id = "ea85e415-4774-58ac-b063-0f5eb535ec49"
strings:
$fp1 = "http://evil.com/" wide ascii
$fp2 = "denormalize('/etc/shadow" wide ascii
$fp3 = "vim.org>"
//strings from private rule capa_asp
$tagasp_short1 = /<%[^"]/ wide ascii
// also looking for %> to reduce fp (yeah, short atom but seldom since special chars)
$tagasp_short2 = "%>" wide ascii
// classids for scripting host etc
$tagasp_classid1 = "72C24DD5-D70A-438B-8A42-98424B88AFB8" nocase wide ascii
$tagasp_classid2 = "F935DC22-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid3 = "093FF999-1EA0-4079-9525-9614C3504B74" nocase wide ascii
$tagasp_classid4 = "F935DC26-1CF0-11D0-ADB9-00C04FD58A0B" nocase wide ascii
$tagasp_classid5 = "0D43FE01-F093-11CF-8940-00A0C9054228" nocase wide ascii
$tagasp_long10 = "<%@ " wide ascii
// <% eval
$tagasp_long11 = /<% \w/ nocase wide ascii
$tagasp_long12 = "<%ex" nocase wide ascii
$tagasp_long13 = "<%ev" nocase wide ascii
// <%@ LANGUAGE = VBScript.encode%>
// <%@ Language = "JScript" %>
// <%@ WebHandler Language="C#" class="Handler" %>
// <%@ WebService Language="C#" Class="Service" %>
// <%@Page Language="Jscript"%>
// <%@ Page Language = Jscript %>
// <%@PAGE LANGUAGE=JSCRIPT%>
// <%@ Page Language="Jscript" validateRequest="false" %>
// <%@ Page Language = Jscript %>
// <%@ Page Language="C#" %>
// <%@ Page Language="VB" ContentType="text/html" validaterequest="false" AspCompat="true" Debug="true" %>
// <script runat="server" language="JScript">
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <SCRIPT RUNAT=SERVER LANGUAGE=JSCRIPT>
// <msxsl:script language="JScript" ...
$tagasp_long20 = /<(%|script|msxsl:script).{0,60}language="?(vb|jscript|c#)/ nocase wide ascii
$tagasp_long32 = /<script\s{1,30}runat=/ wide ascii
$tagasp_long33 = /<SCRIPT\s{1,30}RUNAT=/ wide ascii
// avoid hitting php
$php1 = "<?php"
$php2 = "<?="
// avoid hitting jsp
$jsp1 = "=\"java." wide ascii
$jsp2 = "=\"javax." wide ascii
$jsp3 = "java.lang." wide ascii
$jsp4 = "public" fullword wide ascii
$jsp5 = "throws" fullword wide ascii
$jsp6 = "getValue" fullword wide ascii
$jsp7 = "getBytes" fullword wide ascii
$perl1 = "PerlScript" fullword
//strings from private rule capa_php_old_safe
$php_short = "<?" wide ascii
// prevent xml and asp from hitting with the short tag
$no_xml1 = "<?xml version" nocase wide ascii
$no_xml2 = "<?xml-stylesheet" nocase wide ascii
$no_asp1 = "<%@LANGUAGE" nocase wide ascii
$no_asp2 = /<script language="(vb|jscript|c#)/ nocase wide ascii
$no_pdf = "<?xpacket"
// of course the new tags should also match
// already matched by "<?"
$php_new1 = /<\?=[^?]/ wide ascii
$php_new2 = "<?php" nocase wide ascii
$php_new3 = "<script language=\"php" nocase wide ascii
//strings from private rule capa_jsp_safe
$cjsp_short1 = "<%" ascii wide
$cjsp_short2 = "%>" wide ascii
$cjsp_long1 = "<jsp:" ascii wide
$cjsp_long2 = /language=[\"']java[\"\']/ ascii wide
// JSF
$cjsp_long3 = "/jstl/core" ascii wide
$cjsp_long4 = "<%@p" nocase ascii wide
$cjsp_long5 = "<%@ " nocase ascii wide
$cjsp_long6 = "<% " ascii wide
$cjsp_long7 = "< %" ascii wide
//strings from private rule capa_os_strings
// windows = nocase
$w1 = "net localgroup administrators" nocase wide ascii
$w2 = "net user" nocase wide ascii
$w3 = "/add" nocase wide ascii
// linux stuff, case sensitive:
$l1 = "/etc/shadow" wide ascii
$l2 = "/etc/ssh/sshd_config" wide ascii
$take_two1 = "net user" nocase wide ascii
$take_two2 = "/add" nocase wide ascii
condition:
filesize < 70KB and
( (
(
any of ( $tagasp_long* ) or
// TODO : yara_push_private_rules.py doesn't do private rules in private rules yet
any of ( $tagasp_classid* ) or
(
$tagasp_short1 and
$tagasp_short2 in ( filesize-100..filesize )
) or (
$tagasp_short2 and (
$tagasp_short1 in ( 0..1000 ) or
$tagasp_short1 in ( filesize-1000..filesize )
)
)
) and not (
(
any of ( $perl* ) or
$php1 at 0 or
$php2 at 0
) or (
( #jsp1 + #jsp2 + #jsp3 ) > 0 and ( #jsp4 + #jsp5 + #jsp6 + #jsp7 ) > 0
)
)
)
or (
(
(
$php_short in (0..100) or
$php_short in (filesize-1000..filesize)
)
and not any of ( $no_* )
)
or any of ( $php_new* )
)
or (
$cjsp_short1 at 0 or
any of ( $cjsp_long* ) or
($cjsp_short1 and $cjsp_short2 in ( filesize-100..filesize )) or
(
$cjsp_short2 and (
$cjsp_short1 in ( 0..1000 ) or
$cjsp_short1 in ( filesize-1000..filesize )
)
)
)
) and (
filesize < 300KB and
not uint16(0) == 0x5a4d and (
all of ( $w* ) or
all of ( $l* ) or
2 of ( $take_two* )
)
)
and not any of ( $fp* )
}
rule WEBSHELL_In_Image
{
meta:
description = "Webshell in GIF, PNG or JPG"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
reference = "Internal Research"
hash = "d4fde4e691db3e70a6320e78657480e563a9f87935af873a99db72d6a9a83c78"
hash = "84938133ee6e139a2816ab1afc1c83f27243c8ae76746ceb2e7f20649b5b16a4"
hash = "52b918a64afc55d28cd491de451bb89c57bce424f8696d6a94ec31fb99b17c11"
date = "2021/02/27"
modified = "2024-03-11"
score = 55
id = "b1185b69-9b08-5925-823a-829fee6fa4cf"
strings:
$png = { 89 50 4E 47 }
$jpg = { FF D8 FF E0 }
$gif = "GIF8" wide ascii // doesn't make sense for a GIF but some webshells are utf8 :)
$gif2 = "gif89" // not a valid gif but used in webshells
$gif3 = "Gif89" // not a valid gif but used in webshells
// MS access
$mdb = { 00 01 00 00 53 74 }
//$mdb = { 00 01 00 00 53 74 61 6E 64 61 72 64 20 4A 65 74 20 44 42 }
//strings from private rule capa_php_old_safe
$php_short = "<?" wide ascii
// prevent xml and asp from hitting with the short tag
$no_xml1 = "<?xml version" nocase wide ascii
$no_xml2 = "<?xml-stylesheet" nocase wide ascii
$no_asp1 = "<%@LANGUAGE" nocase wide ascii
$no_asp2 = /<script language="(vb|jscript|c#)/ nocase wide ascii
$no_pdf = "<?xpacket"
// of course the new tags should also match
// already matched by "<?"
$php_new1 = /<\?=[^?]/ wide ascii
$php_new2 = "<?php" nocase wide ascii
$php_new3 = "<script language=\"php" nocase wide ascii
//strings from private rule capa_php_payload
// \([^)] to avoid matching on e.g. eval() in comments
$cpayload1 = /\beval[\n\t ]{0,500}(\([^)]|\/\*)/ nocase wide ascii
$cpayload2 = /\bexec[\n\t ]{0,500}(\([^)]|\/\*)/ nocase wide ascii
$cpayload3 = /\bshell_exec[\n\t ]{0,500}(\([^)]|\/\*)/ nocase wide ascii
$cpayload4 = /\bpassthru[\n\t ]{0,500}(\([^)]|\/\*)/ nocase wide ascii
$cpayload5 = /\bsystem[\n\t ]{0,500}(\([^)]|\/\*)/ nocase wide ascii
$cpayload6 = /\bpopen[\n\t ]{0,500}(\([^)]|\/\*)/ nocase wide ascii
$cpayload7 = /\bproc_open[\n\t ]{0,500}(\([^)]|\/\*)/ nocase wide ascii
$cpayload8 = /\bpcntl_exec[\n\t ]{0,500}(\([^)]|\/\*)/ nocase wide ascii
$cpayload9 = /\bassert[\n\t ]{0,500}\([^)0]/ nocase wide ascii
$cpayload10 = /\bpreg_replace[\n\t ]{0,500}\([^\)]{1,100}\/[ismxADSUXju]{0,11}(e|\\x65)/ nocase wide ascii
$cpayload12 = /\bmb_ereg_replace[\t ]{0,500}\([^\)]{1,100}'e'/ nocase wide ascii
$cpayload13 = /\bmb_eregi_replace[\t ]{0,500}\([^\)]{1,100}'e'/ nocase wide ascii
$cpayload20 = /\bcreate_function[\n\t ]{0,500}(\([^)]|\/\*)/ nocase wide ascii
$cpayload21 = /\bReflectionFunction[\n\t ]{0,500}(\([^)]|\/\*)/ nocase wide ascii
$cpayload22 = /fetchall\(PDO::FETCH_FUNC[\n\t ]{0,500}[,}
direct
ASPX
WEBSHELL_ASPX_reGeorgTunnel
variation on reGeorgtunnel
view YARA rule
rule WEBSHELL_ASPX_reGeorgTunnel : Webshell Commodity {
meta:
author = "[email protected]"
date = "2021-03-01"
description = "variation on reGeorgtunnel"
hash = "406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928"
reference = "https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx"
id = "b8aa27c9-a28a-5051-8f81-1184f28842ed"
strings:
$s1 = "System.Net.Sockets"
$s2 = "System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get"
$t1 = ".Split('|')"
$t2 = "Request.Headers.Get"
$t3 = ".Substring("
$t4 = "new Socket("
$t5 = "IPAddress ip;"
condition:
all of ($s*) or
all of ($t*)
}
Showing 1-4 of 4