Linux Webshell [0.1]
A findings under this detection indicates that a file with characteristics matching a known attacker webshell has been found.
The ACSC disclosed in a recent advisory about an increase in the use of leveraging proof of concept exploits, code and tools from open sources. Webshell malware are one of many of the tactics, techniques and procedures (TTPs) identified within this advisory.
A webshell is a malicious webpage injected by an attacker onto a web server which is used to remotely access and launch further attacks. Many webshell variants exist, but can typically be characterised by the ability to be uploaded to a web server with the intent of remote access to establish, escalate or maintain persistence on a system.
This search looks for any files which may suggest the presence of web shells as identified within advisory 2020-008, using intelligence provided by the ACSC, and by other sources such as CyberCX and CrowdStrike investigations. See the threat intelligence sources section below for further details. Findings are based upon threat intelligence, and do not consider environmental factors specific to the computer or network environment being scanned.
Packs.CyberCX.Windows.WebshellSearch
The Threat intelligence sources used to develop these detections include:
- Those provided by the ACSC advisory 2020-008 on ‘Copy and Paste’ attacks and released as Traffic Light Protocol (TLP): White.
- Investigations performed by the CyberCX DFIR team
- Investigations performed by CrowdStrike
- Contributions from the community
Any findings may not indicate confirmed compromise of your system, but might well be indicative of attacker activity. It is recommended to review each detection contextually to confirm if the finding is definitively malicious or a false positive. Guidance for how to approach these investigations is provided within this section.
This section provides general guidance on how to determine if a finding is indicative of malicious activity. Please note the specific detection results within the report generated by CCX Digger when conducting the investigation, as some of the content below may not be applicable for your system.
These guides do not consider contextual usage, such as environment, applications and expected activity for the computer. The review should consider what activity is expected in conjunction with webshell file detection results.
Detecting webshells may be difficult, as they are easily modifiable and are often obfuscated. An alert for any potential webshell should be validated to identify the file's origin and authenticity.
Is the file in a path containing hosted web server files?
- If so, access each webpage by typing the URL in a secure web browser and identify what happens. It is strongly recommended to perform this from an isolated system or virtual machine to avoid the possibility of malware running. Examine the contents within a text editor to determine if it appears to be malicious, or if it is running as expected.
- ** If not,** then this file may not be externally accessible, and may not be an imminent threat. Further investigation is required to determine the context of this file on the system, including origin, when it was created, and why it is present on the system.
- The creation date of the webshell may indicate information about when the file was moved to the computer. Any activity surrounding this date within the web server and system logs should be investigated to determine if other malicious activity had occurred. Please note that attackers can also modify timestamps.
- Review other files within the same directory as the identified file to determine if they are expected. When websites are compromised, all uploaded files will often be placed in the same location.
- Investigate system logs to identify any activity relating to the file. If this is an active web shell, system logs may provide context to when the file was accessed, where it was accessed and potentially any commands and actions which were remotely performed.
If the file is believed to be malicious, further action is required to determine the file's function, origin, and if it is still active.
- https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
- https://www.cyber.gov.au/acsc/view-all-content/threats/web-shell-malware
If you have followed the investigations to confirm the validity of the findings, and believe your system may be at risk, please visit the Need Help? page for further instructions. Please refer to the same page for further context on how to use this wiki.
[v0.1]:
