The amasty_biz_js rule detects potential JavaScript-based exploitation attempts targeting Magento stores, which may indicate initial compromise or persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity in web application environments.
YARA Rule
rule amasty_biz_js {
strings: $ = "t_p#0.qlb#0.#1Blsjj#1@#.?#.?dslargml#0.qr_pr#06#07#5@#.?#0"
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: Legitimate use of Magento Admin Panel during routine configuration changes
Filter/Exclusion: process.name != "php" OR process.name == "php" AND process.args NOT LIKE "%magento%admin%"
Scenario: Scheduled Cron Jobs running maintenance tasks for Amasty modules
Filter/Exclusion: process.name == "cron" AND process.args LIKE "%amasty%"
Scenario: Magento CLI commands executed by developers for module updates or deployments
Filter/Exclusion: process.name == "php" AND process.args LIKE "%magento%dev%module%"
Scenario: Code deployment tools like Capistrano or DeployBot pushing updates to Magento instances
Filter/Exclusion: process.name == "capistrano" OR process.name == "deploybot" OR process.args LIKE "%deploy%amasty%"
Scenario: Third-party integration tools such as Magento Connect or Amasty Marketplace performing updates
Filter/Exclusion: process.name == "magento-connect" OR process.args LIKE "%amasty%marketplace%"