Detects PAS Tool PHP Web Kit

Hunt Hypothesis

The hypothesis is that the detection of PAS Tool PHP Web Kit indicates potential adversary use of a compromised web application to execute malicious code or exfiltrate data. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage web-based attacks that may evade traditional detection methods.

YARA Rule

rule WebShell_PHP_Web_Kit_v4
{

   meta:
      description = "Detects PAS Tool PHP Web Kit"
      reference = "https://github.com/wordfence/grizzly"
      author = "Florian Roth"
      date = "2016/01/01"

   strings:
      $php = "<?php $"
      $s1 = "(StR_ReplAcE(\"\\n\",'',"
      $s2 = ";if(PHP_VERSION<'5'){" ascii
      $s3 = "=SuBstr_rePlACe(" ascii

   condition:
      $php at 0 and filesize > 8KB and filesize < 100KB and 2 of ($s*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://github.com/wordfence/grizzly
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job using php to execute a maintenance script
  Filter/Exclusion: process.parent_process_name:*crontab* OR process.parent_process_name:*systemd*
  Rationale: Scheduled jobs often use php to run scripts, and their parent process is typically a scheduler like crontab or systemd.

• Scenario: Admin task using PHP CLI to run a database backup script
  Filter/Exclusion: process.command_line:*/usr/bin/php*backup_script.php*
  Rationale: Database backups are common admin tasks and may involve running PHP scripts via CLI with known command-line arguments.

• Scenario: Development environment using PHP for unit testing
  Filter/Exclusion: process.command_line:*phpunit* OR process.user:*dev*
  Rationale: Unit testing with phpunit is a common development activity and may be performed by non-production users.

• Scenario: Legitimate use of php in a CI/CD pipeline (e.g., Jenkins, GitLab CI)
  Filter/Exclusion: process.parent_process_name:*jenkins* OR process.parent_process_name:*gitlab-runner*
  Rationale: CI/CD pipelines often execute PHP scripts as part of the build process, and their parent processes are known CI tools.

• Scenario: PHP-based monitoring tool running a health check
  Filter/Exclusion: process.command_line:*monitoring_tool* OR process.command_line:*check_php*
  Rationale: Some monitoring tools use PHP scripts to check server health or application status, which can trigger the rule.