The hypothesis is that the detection of PAS Tool PHP Web Kit indicates potential adversary use of a web-based toolkit to maintain persistent access or exfiltrate data from a compromised system. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary activity that may evade traditional detection methods.
YARA Rule
rule WebShell_PHP_Web_Kit_v3
{
meta:
description = "Detects PAS Tool PHP Web Kit"
reference = "https://github.com/wordfence/grizzly"
author = "Florian Roth"
date = "2016/01/01"
strings:
$php = "<?php $"
$php2 = "@assert(base64_decode($_REQUEST["
$s1 = "(str_replace(\"\\n\", '', '"
$s2 = "(strrev($" ascii
$s3 = "de'.'code';" ascii
condition:
( $php at 0 or $php2 ) and filesize > 8KB and filesize < 100KB and all of ($s*)
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: Legitimate PHP script execution via cron job
Filter/Exclusion: process.parent_process_name != "cron" or process.command_line NOT LIKE '%/usr/bin/php%'
Scenario: Admin performing a scheduled backup using a PHP-based backup tool (e.g., backup-php)
Filter/Exclusion: process.command_line LIKE '%backup-php%' or process.parent_process_name = "backup-php"
Scenario: Development team using a PHP linter or code formatter (e.g., phpcs, php-cs-fixer)
Filter/Exclusion: process.command_line LIKE '%phpcs%' OR process.command_line LIKE '%php-cs-fixer%'
Scenario: System administrator running a PHP-based monitoring script (e.g., monit, check_php)
Filter/Exclusion: process.command_line LIKE '%monit%' OR process.command_line LIKE '%check_php%'
Scenario: Scheduled job using PHP to generate reports (e.g., report-generator-php)
Filter/Exclusion: process.command_line LIKE '%report-generator-php%' OR process.parent_process_name = "cron"