amasty biz

Hunt Hypothesis

The amasty_biz rule detects potential adversary behavior involving the use of malicious payloads or obfuscated code commonly associated with compromised or malicious WordPress plugins. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that may evade traditional detection methods.

YARA Rule

rule amasty_biz {
    strings: $ = "118,97,114,32,115,110,100,32,61,110,117,108,108,59,10,10,102,117"
    condition: any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job for Amasty Biz module updates
  Filter/Exclusion: process.name != "php" OR process.name == "php" AND process.args != "/usr/bin/php /var/www/html/update.php"

• Scenario: Admin performing a manual export of customer data via Amasty Biz UI
  Filter/Exclusion: process.name == "php" AND process.args CONTAINS "admin/export"

• Scenario: Cron job running daily to process orders using Amasty Biz
  Filter/Exclusion: process.name == "php" AND process.args CONTAINS "cron/process_orders"

• Scenario: Developer testing Amasty Biz module functionality in a staging environment
  Filter/Exclusion: process.name == "php" AND ip.src == "192.168.1.0/24"

• Scenario: System backup process including Amasty Biz database tables
  Filter/Exclusion: process.name == "mysqldump" AND process.args CONTAINS "amasty_biz"