Most of the programs designed to interact with web shells allow the actor to change the reported User-Agent. Some actors place their web shells within already existing scripts, in these cases the following methods of web shell detection are still useful. One specific APT actor group has a tendency to name their web shells with a combination of two extensions (examples: deaspx.js or bonjs.asp). The web shell script is often found deep within the web servers directory structure. The first characteristic to note is that the actors often place the server side web shell execution code in it’s own file. Searching for known client IP addresses can be very effective in a hunting workflow, but they aren’t very useful for alerting. In practice, the actors tend to come from dynamically allocated IP addresses, or through pools of VPN hosts. This method can result in surprising amount of false positives in web applications. Another method is to run scripts on your web servers to search for common web shell patterns such as the “%eval(RequestItem” above. The most robust method is to establish a regular change-management policy for your web servers, and to monitor for any changes to servable content with a file integrity system such as Samhain or TripWire. Detectionĭetecting webshells can be done in many different ways. In this example “pass” is replaced with the password the actor uses to access the webshell. Web Shells can be extremely simple, relying upon a small amount of code to execute. Web Shells can be crafted in every scriptable web language, but most of the webshells I’ve encountered have been. Other times the actor is able to find a helpful script left behind by a web administrator that gives them the ability to execute commands. Actors often place these scripts on the web server themselves, either after lateral movement from other compromised hosts and user accounts, or after exploiting a Remote File Include or Local File Include vulnerability on the web server itself. A webshell allows the actor to essentially have command line access to the web server through an executable script placed on the web server. One of the mainstay tools in a good actors chest is the webshell. While much of the focus of intrusion detection is on phishing messages and malware command and control channels, a sizable amount of intrusions rely upon server side compromises with the actor as the client.
0 kommentar(er)
