The fopo_webshell rule detects potential webshell activity by identifying suspicious file patterns commonly associated with malicious PHP scripts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage web-based attacks that could lead to persistent access or data exfiltration.
YARA Rule
rule fopo_webshell {
strings:
$ = "DNEcHdQbWtXU3dSMDA1VmZ1c29WUVFXdUhPT0xYb0k3ZDJyWmFVZlF5Y0ZEeHV4K2FnVmY0OUtjbzhnc0"
$ = "U3hkTVVibSt2MTgyRjY0VmZlQWo3d1VlaFJVNVNnSGZUVUhKZXdEbGxJUTlXWWlqWSt0cEtacUZOSXF4c"
$ = "rb2JHaTJVdURMNlhQZ1ZlTGVjVnFobVdnMk5nbDlvbEdBQVZKRzJ1WmZUSjdVOWNwWURZYlZ0L1BtNCt"
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: Legitimate scheduled job for log rotation or backup
Filter/Exclusion: process.parent_process_name == "cron" OR process.parent_process_name == "systemd" OR process.parent_process_name == "atd"
Scenario: Admin task using wget or curl to download a legitimate script or configuration file
Filter/Exclusion: process.name == "wget" OR process.name == "curl" AND file.name NOT IN ("script.sh", "config.json")
Scenario: Use of a legitimate web application framework (e.g., Laravel, Django) with dynamic content generation
Filter/Exclusion: file.name CONTAINS "laravel" OR file.name CONTAINS "django" OR file.name CONTAINS "symfony"
Scenario: Internal tool for monitoring or diagnostics that uses shell scripts or temporary files
Filter/Exclusion: process.name == "bash" AND file.path CONTAINS "/tmp" AND file.name CONTAINS "diag" OR "monitor"
Scenario: Use of a legitimate code deployment tool (e.g., Jenkins, GitLab CI) that executes scripts during deployment
Filter/Exclusion: process.name == "java" OR process.name == "node" AND file.name CONTAINS "deploy" OR "build" AND process.parent_process_name CONTAINS "jenkins" OR "gitlab-runner"