Yara Rule - Moveit 전송 익스플로레이션에 사용되는 ASPX 웹 쉘 감지 - Neo23x0

🧱 보안 정책/룰 관련
1

Yara Rule - Moveit 전송 익스플로레이션에 사용되는 ASPX 웹 쉘 감지

Yara 정의.

Yara Rule - Detects ASPX web shells as being used in MOVEit Transfer exploitation

Yara definition.

Author: Florian Roth

https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/

date = "2023-06-01"
score = 85
hash1 = "2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5"
hash2 = "48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a"
hash3 = "e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e"
$s1 = "X-siLock-Comment" ascii fullword
$s2 = "]; string x = null;" ascii
$s3 = ";  if (!String.Equals(pass, " ascii```


[https://github.com/Neo23x0/signature-base/commit/948d1d63d3bbcf7f56a4ba97a4ea75d1fe54a58a](https://github.com/Neo23x0/signature-base/commit/948d1d63d3bbcf7f56a4ba97a4ea75d1fe54a58a)