Webshell
A web shell is a script that can be uploaded to a web server to enable remote administration of the machine.
Infected web servers can be either Internet-facing or internal to the network, where the web shell is used to pivot further to internal hosts. A web shell can be written in any language that the target web server supports. The most commonly observed web shells are written in languages that are widely supported, such as PHP and ASP. Perl, Ruby, Python, and Unix shell scripts are also used.
Using network reconnaissance tools, an adversary can identify vulnerabilities that can be exploited and result in the installation of a web shell. For example, these vulnerabilities can exist in content management systems (CMS) or web server software.
Once successfully uploaded, an adversary can use the web shell to leverage other exploitation techniques to escalate privileges and to issue commands remotely. These commands are directly linked to the privilege and functionality available to the web server and may include the ability to add, delete, and execute files as well as the ability to run shell commands, further executables, or scripts.
Malware/Threat actors
| Name | Type | Years | Source |
|---|---|---|---|
| GRIZZLY STEPPE | threat actor | 2015-2018 | GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity
AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf |
| APT1 | threat actor | 2006-2013 | Mandiant_APT1_Report.pdf
|
| Epic Turla | threat actor | < Known years active > | The_Epic_Turla_Operation.pdf
KL_Epic_Turla_Technical_Appendix_20140806.pdf ICIT-Brief-Know-Your-Enemies-2.0.pdf Turla_2_Penquin.pdf |
| Iron tiger | threat actor | 2010-2013 | wp-operation-iron-tiger.pdf
|
| HURRICANE PANDA | threat actor | 2014 | GlobalThreatIntelReport.pdf
ICIT-Brief-China-Espionage-Dynasty.pdf Threat%20Group%20Cards.pdf GlobalThreatIntelReport.pdf |
| APT10 | threat actor | 2018 | cloud-hopper-report-final-v4.pdf
cloud-hopper-report-final-upda_72977.pdf cta-2019-0206.pdf |
| Clever Kitten | threat actor | 2013 | Threat%20Group%20Cards.pdf
|
| Volatile Cedar | threat actor | 2012-2014 | volatile-cedar-technical-report.pdf
|
| GreyEnergy | malware | 2015-2017 | ESET_GreyEnergy.pdf
|
| Rocket Kitten | threat actor | 2014-2015 | rocket-kitten-report.pdf
|
Preventions
- Conduct regular vulnerability scans and establish a remediation strategy focusing on the most detrimental findings first. Regular scanning and remediation measures will remove opportunities to exploit known attack vectors by an adversary.
- Deploy a Web Application Firewall (WAF). WAF technologies defend against common web exploitation techniques such as SQL injection and cross-site scripting. Deploying this capability helps reduce the likelihood of a successful web attack on the server that could otherwise allow the perpetrator to modify code and deploy the webshell.
Detections
- Conduct regular log review. Key sources should include the network and host firewalls, Intrusion Prevention System, proxy, and local event logs. Events of interest should include high usage rates to suspicious IPs, odd timestamps on web files (dates that don’t match previous content updates), odd connections destined for internal networks, suspicious files in internet accessible locations, references to keywords such as cmd.exe or eval.
- Analyze traffic flows looking for certain anomalous behaviors such as prolonged connections, data frequently being pushed to the server (e.g., commands being sent to the shell), frequent large data transfers (an indication of data exfiltration), and abnormal encryption (anything that is not SSL/TLS or that negotiates using an alternate certificate) as indicators of potential nefarious activity.
Toolkit
<Toolkit instructions, if applicable>