```
rule ShellJSP {
meta:
    reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
strings:
$s1 = "decrypt(fpath)"
$s2 = "decrypt(fcontext)"
$s3 = "decrypt(commandEnc)"
$s4 = "upload failed!"
$s5 = "aes.encrypt(allStr)"
$s6 = "newid"
condition:
filesize < 50KB and 4 of them
}
```

```
rule EncryptJSP {
meta:
    reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
strings:
$s1 = "AEScrypt"
$s2 = "AES/CBC/PKCS5Padding"
$s3 = "SecretKeySpec"
$s4 = "FileOutputStream"
$s5 = "getParameter"
$s6 = "new ProcessBuilder"
$s7 = "new BufferedReader"
$s8 = "readLine()"
condition:
filesize < 50KB and 6 of them
}
```

```
rule CustomFRPClient {
meta:
    reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
description=”Identify instances of the actor's custom FRP tool based
on unique strings chosen by the actor and included in the tool”
strings:
$s1 = "%!PS-Adobe-" nocase ascii wide
$s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide
$s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase
ascii wide
$s4 = "MAGA2024!!!" nocase ascii wide
$s5 = "HTTP_PROXYHost: %s" nocase ascii wide
condition:
all of them
}
```

```
rule HACKTOOL_FRPClient {
meta:
    reference="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
description=”Identify instances of FRP tool (Note: This tool is
known to be used by multiple actors, so hits would not necessarily imply
activity by the specific actor described in this report)”
strings:
$s1 = "%!PS-Adobe-" nocase ascii wide
$s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide
$s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase
ascii wide
$s4 = "HTTP_PROXYHost: %s" nocase ascii wide
condition:
3 of them
}
```

```
rule CrowdStrike_VANGUARD_PANDA_timewarp_webshell : webshell vanguard_panda 
{
    meta:
        copyright = "(c) 2023 CrowdStrike Inc."
        description = "Timewarp Java webshell in malicious Tomcat module"
        version = "202306131008"
        last_modified = "2023-06-13"
        actor = "VANGUARD PANDA"
    strings:
        $ = "setKey"
        $ = "ProcessBuilder"
        $ = "AES/ECB/PKCS5Padding"
        $ = "tmp.log"
        $ = "byteKey"
        $ = "method0"
        $ = "failed to read output from process"
    condition:
        filesize<50KB and 4 of them
}
```

```
rule CrowdStrike_VANGUARD_PANDA_timewarp_webshell_jar : java vanguard_panda 
{
    meta:
        copyright = "(c) 2023 CrowdStrike Inc."
        description = "JAR file containing Timewarp webshell"
        version = "202306131011"
        last_modified = "2023-06-13"
        actor = "VANGUARD PANDA"
        reference = "https://www.crowdstrike.com/en-us/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/"
    strings:
        $WsSci = "/WsSci.class"
        $abc1 = "/A.class"
        $abc2 = "/B.class"
        $abc3 = "/C.class"
        $timewarp1 = "/Timewarp.class"
        $timewarp2 = "/Timewarp2.class"
        $timewarp3 = "/Timewarp3.class"
    condition:
        uint16(0)==0x4b50 and filesize<1MB and $WsSci and (all of ($abc*) or all of ($timewarp*))
}
```

```
rule CrowdStrike_VANGUARD_PANDA_webshell_installer : java vanguard_panda
{
    meta:
        copyright = "(c) 2023 CrowdStrike Inc."
        description = "ClassLoader - Java webshell install and execute script"
        version = "202306131012"
        last_modified = "2023-06-13"
        actor = "VANGUARD PANDA"
        reference = "https://www.crowdstrike.com/en-us/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/"
    strings:
        $ = ""
        $ = "customEndpoint1"
        $ = "move true 
"
        $ = "inject true 
"
        $ = "ListName_jsp"
        $ = "photohelp_jsp"
        $ = "photoparse_jsp"
        $ = "Timewarp.class"
        $ = "WsSci.class"
        $ = "/A.class"
        $ = "srcZipfs.getPath"
    condition:
        filesize<50KB and 4 of them
}
```