The gate_php_js rule detects potential obfuscation or embedding of malicious PHP or JavaScript code within files, which adversaries may use to evade basic detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could lead to persistent or stealthy malware execution.
YARA Rule
rule gate_php_js {
/* token=KjsS29Msl&host= */
strings:
$ = /\/gate.php\?token=.{,10}&host=/
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using PHPStorm to debug PHP scripts and inadvertently triggers a file scan.
Filter/Exclusion: Exclude files with the .php extension that are located in the ~/.phpstormEval directory or any directory containing phpstorm.
Scenario: A scheduled cron job runs a PHP script to generate static HTML content for a website.
Filter/Exclusion: Exclude files with the .php extension that are in the /var/www/html/generate-static/ directory or have a filename matching generate-static-*.php.
Scenario: A developer is using VS Code with the PHP Intelephense extension to analyze PHP code, which may trigger a scan due to the presence of JavaScript snippets.
Filter/Exclusion: Exclude files with the .php extension that are in the ~/.vscode/extensions/ directory or have a filename containing intelephense.
Scenario: A CI/CD pipeline (e.g., Jenkins or GitLab CI) runs PHP linters or code formatters, which may include JavaScript code for testing.
Filter/Exclusion: Exclude files with the .php extension that are in the /opt/jenkins/workspace/ directory or have a filename containing lint or formatter.
Scenario: A database backup script written in PHP includes JavaScript for client-side validation during the backup process.
Filter/Exclusion: Exclude files with the .php extension that are in the /backup/scripts/ directory or have a filename containing backup or restore.