The detection rule identifies potential PHP script anomalies that may indicate adversarial manipulation of server-side logic. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover low-severity, yet potentially indicative, signs of code tampering or malicious activity.
YARA Rule
rule php_malfunctions {
strings:
$ = "eval("
$ = "gzinflate("
$ = "str_rot13("
$ = "base64_decode("
condition:
3 of them and filesize < 500KB
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using php -i to check PHP configuration settings.
Filter/Exclusion: Exclude processes where the command line includes php -i or php --ini.
Scenario: A scheduled job runs a PHP script to generate reports using cron or systemd timers.
Filter/Exclusion: Exclude processes with cron or systemd in the parent process name, or filter by known report-generating scripts.
Scenario: A developer is testing a PHP application using php -S to start a local development server.
Filter/Exclusion: Exclude processes where the command line includes php -S or php -t.
Scenario: A CI/CD pipeline runs PHP unit tests using tools like PHPUnit or Laravel Dusk.
Filter/Exclusion: Exclude processes that include phpunit, vendor/bin/phpunit, or laravel dusk in the command line.
Scenario: A database backup script uses PHP to interact with a database via PDO or mysqli, such as with php backup.php.
Filter/Exclusion: Exclude processes where the script path is known (e.g., /var/www/backup.php) or where the user is a system or service account.