The detection identifies the presence of a generic PHP mailer script commonly used in email-based attacks to exfiltrate data or establish command and control. SOC teams should proactively hunt for this script in their Azure Sentinel environment to identify potential compromise vectors and mitigate the risk of data exfiltration or further lateral movement.
YARA Rule
rule Email_Generic_PHP_Mailer_Script
{
meta:
Description ="Generic rule to identify potential emails sent from hacktool mailer scripts"
Author = "Xylitol <xylitol@temari.fr>"
date = "2020-05-11"
// Attempt at getting live urls of HackTool.PHP.SpyMail (kav),
// Script.Trojan.PHPMailer (gdata), Trojan.PHP.Mailar (Ikarus)
// This Yara rule is meant to be run against .eml files
// May only the challenge guide you
strings:
// Files, part of php package who can trigger the rules
// we don't want that if we scan a mixed batch of files.
$donotwant1 = { FE ED FA CE } // Mach-O binary (32-bit)
$donotwant2 = { FE ED FA CF } // Mach-O binary (64-bit)
$donotwant3 = { CE FA ED FE } // Mach-O binary (reverse byte ordering scheme, 32-bit)
$donotwant4 = { CE FA ED FE } // Mach-O binary (reverse byte ordering scheme, 64-bit)
$donotwant5 = { 4D 5A 50 00 02 } // Win32 Dynamic Link Library - Borland C/C++
$donotwant6 = { 53 75 62 6A 65 63 74 3A 20 25 73 } // "Subject: %s"
// Adjust to your need the list of legitimate. You may miss web sent
// spam through this filter, but we don't need stuff we can't access
// publicly like cpanel, Roundcube, etc...
$legit1 = "(https://github.com/PHPMailer/PHPMailer)" // PHPMailer
$legit2 = "(phpmailer.sourceforge.net)" // PHPMailer
$legit3 = "X-Mailer: PHPMailer" // PHPMailer
$legit4 = "SimpleMailInvoker.php" // Swiftmailer
$legit5 = "X-Mailer: SMF" // Simple Machines Forum
$legit6 = "X-Mailer: phpBB3" // phpBB3
$legit7 = "X-Mailer: PHP/Xooit" // Xooit forum
$legit8 = "X-Mailer: vBulletin" // vBulletin
$legit9 = "X-Mailer: MediaWiki mailer" // MediaWiki
$legit10 = "X-Mailer: Drupal" // Drupal
$legit11 = "X-Mailer: osCommerce Mailer" // osCommerce
$legit12 = "abuse@mailjet.com" // Message sent by Mailjet
$legit13 = "class.foxycart.transaction.php" // Foxy Ecommerce
$legit14 = "User-Agent: Roundcube Webmail" // Roundcube
$legit15 = "User-Agent: SquirrelMail" // SquirrelMail
$legit16 = "X-Source: /opt/cpanel/" // mail send from cpanel
$legit17 = { 58 2D 50 48 50 2D 4F 72 69 67 69 6E 61 74 69 6E 67 2D 53 63 72 69 70 74 3A 20 [1-6] 3A 70 6F 73 74 2E 70 68 70 28 [1-6] 29 } // "X-PHP-Originating-Script: ?:post.php(?)" Might be related to cpanel.
$legit18 = { 58 2D 50 48 50 2D 53 63 72 69 70 74 3A 20 [3-30] 2F 70 6F 73 74 2E 70 68 70 20 66 6F 72 20 } // "X-PHP-Script: ????/post.php for " Might be related to cpanel.
$eml1 = "From:"
$eml2 = "To:"
$eml3 = "Subject:"
$mailer1 = /X-PHP-Originating-Script: ([\w\.]+(.*\.php))?/
$mailer2 = /X-PHP-Script: ([\w\.\/]+\/(.*\.php))?/
$mailer3 = /X-PHP-Filename: (\/[\w]+\/(.*\.php))?/
// $mailer4 = /X-Source-Args: (\/[\w]+\/(.*\.php))?/ // may lead to false positive and unwanted, up to you.
condition:
not any of ($donotwant*) and not any of ($legit*)
and all of ($eml*) and 2 of ($mailer*)
}This YARA rule can be deployed in the following contexts:
This rule contains 31 string patterns in its detection logic.
Scenario: Scheduled Cron Job for Email Notifications
Description: A legitimate cron job runs a PHP script to send automated email notifications (e.g., for user account confirmations or password resets).
Filter/Exclusion: Check for presence of cron or crontab in the file metadata, or filter by file path such as /var/www/html/email-notify.php.
Scenario: Admin Task for Sending Test Emails
Description: An administrator uses a PHP script to send test emails to verify SMTP configurations (e.g., using mail() function or a tool like phpmailer).
Filter/Exclusion: Filter by user context (e.g., user = admin) or check for presence of test email addresses in the script.
Scenario: Integration with Email Marketing Tool
Description: A PHP script is used to integrate with an email marketing platform (e.g., Mailchimp, SendGrid) to send bulk emails.
Filter/Exclusion: Check for API keys or integration-specific strings (e.g., SendGrid, Mailchimp) in the script content.
Scenario: Internal Reporting Tool Using PHPMailer
Description: An internal reporting tool uses PHPMailer to send reports via email to stakeholders.
Filter/Exclusion: Filter by file path (e.g., /opt/reporting/email-reporter.php) or check for presence of reporting-related keywords.
Scenario: Legacy System Email Notification Script
Description: A legacy system or application uses a generic PHP mailer script to send status updates or alerts (e.g., using mail() function).
Filter/Exclusion: Filter by file path (e.g., /usr/local/legacy/email_alert.php) or check for presence of legacy system identifiers.