Yara Rule - SecretSauce PHP 웹 쉘 감지 (Citrix Netscaler ADC CVE-203-3519의 악용 후 발견)
Yara 정의.
Yara Rule - Detects SECRETSAUCE PHP webshells (found after an exploitation of Citrix NetScaler ADC CVE-2023-3519)
Yara definition.
Author: Florian Roth
https://www.mandiant.com/resources/blog/citrix-zero-day-espionage
date = "2023-07-27"
score = 65
/* overly long URL - all URLLEN values >= 200 */
$sr1 = /GWTEST FORMS SSO: Parse=0; URLLEN=([2-9][0-9]{2}|[0-9]{4,20}); Event: start=0x/
$s1 = ", type=1; Target: start=0x"
date = "2023-07-24"
score = 85
$sa1 = "for ($x=0; $x<=1; $x++) {" ascii
$sa2 = "$_REQUEST[" ascii
$sa3 = "@eval" ascii
$sb1 = "public $cmd;" ascii
$sb2 = "return @eval($a);" ascii
$sb3 = "$z->run($z->get('openssl_public_decrypt'));"```
[https://github.com/Neo23x0/signature-base/commit/a5a204f45e060c9e894690ed6fe831d6cafdb302](https://github.com/Neo23x0/signature-base/commit/a5a204f45e060c9e894690ed6fe831d6cafdb302)