title: Antivirus Web Shell Detection
id: fdf135a2-9241-4f96-a114-bb404948f736
description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.
status: experimental
date: 2018/09/09
modified: 2022/05/12
author: Florian Roth, Arnim Rupp
references:
    - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/
    - https://github.com/tennc/webshell
    - https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
    - https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
    - https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
    - https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
    - https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
    - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
    - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    category: antivirus
detection:
    selection:
        - Signature|startswith:
            - 'PHP/'
            - 'JSP/'
            - 'ASP/'
            - 'Perl/'
            - 'PHP.'
            - 'JSP.'
            - 'ASP.'
            - 'Perl.'
            - 'VBS/Uxor' # looking for 'VBS/' would also find downloaders and droppers meant for desktops
            - 'IIS/BackDoor'
            - 'JAVA/Backdoor'
            - 'Troj/ASP'
            - 'Troj/PHP'
            - 'Troj/JSP'
        - Signature|contains:
            - 'Webshell'
            - 'Chopper'
            - 'SinoChoper'
            - 'ASPXSpy'
            - 'Aspdoor'
            - 'filebrowser'
            - 'PHP_'
            - 'JSP_'
            - 'ASP_' # looking for 'VBS_' would also find downloaders and droppers meant for desktops
            - 'PHP:'
            - 'JSP:'
            - 'ASP:'
            - 'Perl:'
            - 'PHPShell'
            - 'Trojan.PHP'
            - 'Trojan.ASP'
            - 'Trojan.JSP'
            - 'Trojan.VBS'
            - 'PHP?Agent'
            - 'ASP?Agent'
            - 'JSP?Agent'
            - 'VBS?Agent'
            - 'Backdoor?PHP'
            - 'Backdoor?JSP'
            - 'Backdoor?ASP'
            - 'Backdoor?VBS'
            - 'Backdoor?Java'
            - 'PShlSpy'
    condition: selection
fields:
    - FileName
    - User
falsepositives:
    - Unlikely
level: high