Skip to content

Latest commit

 

History

History
 
 

Micro Emulation Plan: Web Shells

This micro emulation plan targets malicious activity surrounding T1505.003 Web Shell. Web shells are malware placed on compromised web (or other network-accessible) servers, often used as a persistent backdoor into a network. Once planted, adversaries may execute arbitrary commands/functions on the victim server through a HTTP(S) communication channel with the web shell. Various threat actors have abused web shells targeting both Windows and Linux infrastructure.

Table Of Contents:

Description of Emulated Behaviors

What are we doing? This module provides an easy-to-execute tool for installing, connecting to, and running commands through various web shells. The emulation plans supports several variants of web shells that each:

  1. Plant a malicious file in a web directory
  2. Connect to the web shell over a user-defined network socket
  3. Execute a series of user-defined (default is local discovery) shell commands using the web server

Cyber Threat Intel / Background

Why you should care? Web shells are a constant threat to organizations, as this type of malware has been frequently deployed across many different types of intrusions. After identifying exploitatble vulnerabilities or configurations (i.e. T1190 Exploit Public-Facing Application via procedures such as cross-site scripting, SQL injection, and remote/local file inclusion vulnerabilities), threat actors often deploy web shells onto compromised Internet-facing or internal infrastructure to enable remote execution of commands. Adversaries can then use these web shells as a persistent backdoor into the network, as well as a pivot to upload additional malware as well as locate and harvest data from other internal hosts.

Web shells are typically small scripts and have been utilized by a wide range of threats, notably:

Execution Instructions / Resources

This repository includes two web shells with separate instructions. These instructions assume that you received the executables in a zip archive.

Execution Demo

Animated screen capture demonstrating use of the tool.

Defensive Lessons Learned

Detection

Monitor and audit changes to files within exposed web directories (including file modification timestamps), especially those that do no align with expected changes from administrator activity. Baselining these directories and files may help change tracking and management. Monitor processes spawning from web directories and web server users/accounts, especially processes potentially associated with malicious adversary commands and/or rarely launched by web services.

A table excerpted from an NSA report showing Linux applications used by attackers that are rarely benign subprocesses of Apache, e.g. "netstat" and "whoami".

Image source: NSA Cybersecurity Information: Detect and Prevent Web Shell Malware

Also consider monitoring third-party application logs for signs of abuse, such as uncommon/unexpected events such as user logins/activity. Application logs as well as network traffic and web access monitoring may reveal anomalous patterns of activity highlighting adversaries abusing a web shell on a server.

Appendix B to an NSA report showing example Splunk queries for finding anomalous URIs in web traffic logs.

Image source: NSA Cybersecurity Information: Detect and Prevent Web Shell Malware

Mitigation

Considering removing/disabling file directories and other resources that are network-exposed and could be abused to host a web shell. Implement least-privilege polices to web server users/services as well as network segmentation of Internet-facing infrastructure to limit scope of abuse.

Once deployed, ensure only required changes to web directory content are allowed (e.g. by file as well as limited by user account). Also consider disabling dangerous web functions (such as PHP's eval() and system()) that are commonly abused by web shells.