Find out how to threat hunt commonly found web shells in your infrastructure using the powerful Splunk querying language. Discover queries to hunt for various aspects of web shells and other malicious artifacts.
4. Why Detect Web Shells?
A web shell is a server-side compromise that
generally results from a vulnerability such as LFI or
RFI.
The functionality of the web shell is achieved with a
single executable script placed on the webserver.
The attacker connects to it with a “client”.
This allows the attacker to essentially have command
line access to your web server.
10. Common Web Shells Found in the Wild
China Chopper – Windows web shell with tiny
footprint and lots of command and control abilities
including password brute forcing.
Most popular .aspx web shell.
13. What Do We Need to Hunt Web Shells?
Data of Course!
Hunting Web Shells is typically done with either web
server logs, such as IIS or Apache logs or network
logs such as Bro
Something to ingest all these logs and allow us to
search specific queries such as Splunk.
15. Let the Hunting Begin!!
HTTP POST Request with Successful Response.
index=json_bro eventtype=bro_http method=POST
AND status <= 403 AND uri = *.php OR uri = *.jsp
OR uri=*.cfm OR uri=*.asp OR uri=*.aspx | stats
values(id.orig_h) AS Source, values(hostname) AS
Destination by uri
16.
17.
18. Let the Hunting Begin!!
User Agents – Out of Date & Outliers
index=json_bro eventtype=bro_http | stats count by
user_agent | sort - count | reverse
19.
20. Let the Hunting Begin!!
User Agents – Out of Date & Outliers
China Chopper client default user agent used is
"Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT
+5.1)”. If this user agent string doesn’t look bizarre it
should. This is the user agent for Internet Explorer 6
running on Windows XP.
21. Let the Hunting Begin!!
BASIC Auth
index=json_bro eventtype=bro_http username | stats
values(id.orig_h) AS Source, values(hostname) AS
Destination by uri