Microsoft IIS Logs [0.1]
This artefact searches for activity within Microsoft IIS log files that may indicate malicious webshell activity, attempted connections from known bad IP addresses, or misuse of Windows commands.
A webshell is a malicious webpage injected by an attacker onto a web server which is used to remotely access and launch further attacks.
This scan parses IIS log files for:
- Suspicious entries which may indicate webshell activity on the web server
- Sources known to be associated with attacker infrastructure
- Windows commands executed through the web server, particularly those used for post-exploitation reconnaissance.
Packs.CyberCX.Windows.IISLogs
Note: Due to the potentially large size for IIS logs, it is recommended to use PowerShell Select-String, particularly when searching for results from other outputs.
Each finding should be investigated further to confirm its origin and context, including the following:
- Trace the source IP address of each suspicious connection, ruling out the local network and staff. Note that while some threat actors will directly connect to web servers from overseas IP addresses, more skilled and careful threat actors will bounce through local IP addresses.
- Check for a username associated with this activity. If there is one, contact that user or investigate application logs for that user to confirm if their account has been compromised, or if this is expected behaviour.
- Identify how long any suspicious IP address has been accessing the website by searching more broadly across the IIS logs, then determine if the period of access is expected.
- Investigate any shell commands or suspicious files (such as 'robots.txt' or admin pages) within access requests from each suspicious IP address. The presence of this activity is likely malicious.
- Check for any reference to the webpage 'TelerikUI.WebResource.axd' with a parameter of 'type=rau', which is indicative of exploit of a particular vulnerability that has recently targeted a large number of Australian organisations.
- Determine if penetration testing or other authorised activity is occurring on the website, and if any of the observed activity could be related to this.
- Pay close attention to any Windows commands, as these should not be present in IIS web server log.
- Confirm if any requests were successful (returning with a HTTP response status code within the 200 range), as opposed to failing (returning a status code within the 300 to 500 range).
- Locate the files serving unusual web resources to determine if they're expected to exist on the web server, or if they've been modified. Examine the file system metadata of these files, in particular, the Accessed and Modified timestamps. This may provide an indication of when the files were created on the web server and their contents last modified respectively. More sophisticated attackers will modify file system metadata, including timestamps to hide their webshells. These can still be found, but require deeper forensic analysis.
- Determine if the file contents contains webshell functionality by comparing it with the portion of the output of this tool designed to search for webshells, antivirus searches, or malware sampling services.
- Conduct further investigation on the activity based on the command issued, or the connecting IP address to determine if either are connected to any particular attacks, vulnerabilities, or attack groups.
- https://www.cyber.gov.au/acsc/view-all-content/threats/web-shell-malware
- https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks
If you've followed the steps above, but still believe your system may have been compromised, please refer to our wiki for more information about how to contact the CyberCX Digital Forensics and Incident Response (DFIR) team.
[v0.1]:
