Detects PAS Tool PHP Web Kit

Hunt Hypothesis

The hypothesis is that the detection of PAS Tool PHP Web Kit indicates potential adversary use of a compromised web application to exfiltrate data or establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage web-based attacks that may evade traditional detection methods.

YARA Rule

rule PAS_TOOL_PHP_WEB_KIT_mod 
{
   
   meta:
      description = "Detects PAS Tool PHP Web Kit"
      reference = "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity"
      author = "US CERT - modified by Florian Roth due to performance reasons"
      date = "2016/12/29"
   
   strings:
      $php = "<?php"
      $base64decode1 = "='base'.("
      $strreplace = "str_replace(\"\\n\", ''"
      $md5 = ".substr(md5(strrev("
      $gzinflate = "gzinflate"
      $cookie = "_COOKIE"
      $isset = "isset"
   
   condition:
      $php at 0 and (filesize > 10KB and filesize < 30KB) and #cookie == 2 and #isset == 3 and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

References

• https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job using php to execute a maintenance script
  Filter/Exclusion: process.parent_process_name:*crontab* OR process.parent_process_name:*systemd*
  Rationale: Scheduled jobs often use php to run scripts, and their parent process is typically a scheduler like crontab or systemd.

• Scenario: Admin using PHP CLI to run a custom script for data processing
  Filter/Exclusion: process.command_line:*/usr/bin/php* AND process.parent_process_name:*bash*
  Rationale: Admins may run PHP scripts directly from the command line, which can trigger the rule. Filtering by parent process helps distinguish from malicious activity.

• Scenario: Development team using PHP for code deployment via a CI/CD pipeline
  Filter/Exclusion: process.command_line:*/opt/deployscript.php* OR process.parent_process_name:*jenkins*
  Rationale: CI/CD pipelines often use PHP scripts for deployment, and their parent process is typically a CI tool like Jenkins.

• Scenario: Legitimate use of php in a web application to handle form submissions
  Filter/Exclusion: process.command_line:*index.php* AND process.parent_process_name:*nginx*
  Rationale: Web applications often use index.php to process forms, and the parent process is typically a web server like Nginx.

• Scenario: System administrator using php to run a database backup script
  Filter/Exclusion: process.command_line:*backup_script.php* AND process.parent_process_name:*bash*
  Rationale: Backup scripts are often run manually by admins using php, and their parent process is a shell session.