mag php js

Hunt Hypothesis

The rule detects potential obfuscation or packing of PHP code within JavaScript files, which may indicate the presence of malicious payloads or evasion techniques. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity that could lead to deeper compromises.

YARA Rule

rule mag_php_js {
    strings: 
        $ = "onepage|checkout|onestep|firecheckout|onestepcheckout"
        $ = "'one|check'"
    condition: any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Legitimate PHP code generation via Magento CLI
  Description: A developer uses the Magento CLI to generate PHP code for a custom module, which triggers the rule due to the presence of PHP syntax.
  Filter/Exclusion: `process.name != “magento” || process.args !~ /generate|compile/

• Scenario: Scheduled job for JavaScript minification
  Description: A scheduled job runs a JavaScript minification tool like uglifyjs or terser as part of a CI/CD pipeline, resulting in JavaScript output that matches the rule.
  Filter/Exclusion: `process.name != “uglifyjs” && process.name != “terser” || process.args !~ /minify/

• Scenario: Admin task to update JavaScript assets
  Description: An admin runs a script to update or deploy JavaScript assets using a tool like webpack or grunt, which generates JavaScript files that match the rule.
  Filter/Exclusion: `process.name != “webpack” && process.name != “grunt” || process.args !~ /build|deploy/

• Scenario: Legitimate use of PHP in a JavaScript build process
  Description: A build process uses PHP scripts (e.g., via php-cli) to preprocess JavaScript files, which results in PHP code being detected by the rule.
  Filter/Exclusion: `process.name != “php” || process.args !~ /build|preprocess/

• Scenario: Code review tool generating temporary PHP/JS files
  Description: A code review tool like SonarQube or ESLint generates temporary PHP or JavaScript files during analysis, which could trigger the rule.
  Filter/Exclusion: `process.name != “sonar-scanner” && process.name != “eslint” || process.args !~ /analyze|review/