Threat Hunting: Detecting Web Shells
Hello friends,
In this post I will share my threat hunting experience with you for detecting web shells and pivot points in a network. When I analyzed and mapped the cyber attacks I realized that most of the cyber attacks start with web based attacks or client side atacks. So ability of the detecting web shell is very curicial for cyber security experts. I will analyze an incident under two blog posts. In the first blog post includes detecting web shells and the next one includes endpoint analysis. If you look at the picture is given below, you can see the attack method of the adversary.
Before We start I present you my Udemy Trainings if you want you can benefit my training for learning deeply;
Lets shortly talk about attack phase. Attacker uploads a shell to the victim webserver. After attacker compromised the web server, he puts a backdoor into the web server and defaces a commonly used web page and inject a malicious code to the web page for perfroming watering hole attack against the client computers. This method is widely used by the exploit kits. Just client visits the web page which is defaced by the adversary, attacker exploits the client browser or Java and getting a reverseshell from client. As a next step attacker pivots to the other internal network computers by using password sparaying leteral movement techniques and post exploitation techniques and opens a covert channel for data exfiltration. For clearify the issue I give you attack steps below;
As you see attacker discovers an unauthenticated SMB share and upload a web shell from this hole. As soon as puts the web shell to the server, executes the web shell with curl and gain a reverse shell. Then attacker creates a Java exploit;
Attacker embed it as a hidden iframe to the demo.htm login page;
After that if a client visits the web page he will be compromised like shown below;
Ok! in the first part we anlyzed network traffic and detect the anomallies. Then we analysis the files for finding the webshells and defaced web pages. A web shell is used by the attackers for creating socket connections over network between attacker and compromised systems and executing system commands or other malware commands, file transferring issues. So If we search a web shell we can search socket scripts like fsock, socket, sock, eval, base64, rot13, shell, exec, system, os keywords. If shell obfusucated we develop new methods like ststistical analysis, time analysis and baseline analysis. Now go back to before attack. In the baseline analysis we get hashes of files and keep it for comparing the files new hashes day after day for relazing file changes. If an attacker defaces a web page or inject a malicious code we can understand it from compared hash values. For obtaining the MD5 hashes of the files I write a for loop which calculates the hash values of the files;
As you see I have the hashes of the intact files;
Ok now we start the attack mapping process for threat hunting. First we examine the pcap file is sended by the Blue team for mapping the cyber attack. When I examine the statistics of the conversions I see the ports is given below;
I discovered two anomallies; First is NON SSL traffic which passes through TCP 443. port. SSL have to implement 4 way handshake before connection established. I also detected NON DNS traffic pass through TCP 53. port. When I follow the stream I come up a shell connetion;
Alright but how does an attacker put this to the web server? I wrote wireshark filters for finding web shells over the network network traffic if the traffic is unencrypted. So I found the web shell file;
It’s transferred over the SMB. But it is not enough for mapping attack. We just see the anomaly. We go on over analysis steps with investigating web server files. First I implement baseline analysis by comparing new hashes and intact hashes of the files. Lets calculate the new hashes of the files;
Lets compare and filter different ones;
Bingo!!! hello.php and demo.htm are suspicious files. Lets go on with time analysis. I invesitigate modified files in the recent day;
Next step I write a small script which searches web shell functions in files where exisist in a spesified path;
When I run the script I have found some malicious web shells in the web server path:
When I examine the modified files I come up a hidden iframe in the demo.htm login page:
I realized that hello.php files content has been changed by the attackers: I see another IP address is different from the pcap analysis. It means attacker used one more than C2C IP addresses.
I decided to use other webshell detection tools for gaining time. First I used Backdoorman for detecting other web shells:
Backdoor man has detected c99, x, locus and hello.php malicious files. Then I cross check with Neopi. Neopi has discovered new web shells on the web server such as b374kmini, s3ven and wordpress57.
When I examine the error log I can see the attacker IP. Attacker tried to execute a web shell over the hello.php.
Then I analysis the access logs. I detected some other IP addresses execute c99 and hello malicious files. This IP addresses wil be used for creating IOC.
I execute the netstat command for viewing the active connections and I see the shell connection through TCP 443 to the C2C IP addresses. Process is apache2 notice it!
I wondered that wheather any client visits the defaced web page. So I examine the access log and I noticed that 172.16.8.3 end point views the malicious code injected web page;
I will analysis the endpoint by using GRR osquery sysmon and volatiliy at the next blog post. In a conclusion You can use logs, pcap files, time analysis methods, statistical analysis method and baseline method for detecting web shells. You can also benefit Neopi, Backdoorman and Loki tools for detecting web shells.
See you…
