๐Ÿ“˜
DFIR
  • Networking
    • Networking
      • SDWAN
      • VLANs
      • Virtual Networking
      • Segmentation
      • Applications
        • PAM/SSO
          • Privileged Password Management
          • Authentik
          • Beyond Trust
          • Cyberark
        • Network Tools
          • Palo Alto
          • Sonicwall
          • ZScaler
          • Firewalls
  • Windows
    • Administration
      • Honeypot
      • Deployment
      • Rogue Devices on Network
    • Forensics
      • System Info
      • Memory
        • Pagefile.sys
        • PowerShell Dump
        • Memory Forensics
      • Network Logs
        • UAL
        • Page 1
      • File System
        • Mounting File Systems
        • Log2Timeline
        • Volume Shadow Copies
        • $I30
        • UsnJournal/$LogFile
        • MFT
        • NTFS
        • Shellbags
        • Recycle Bin
      • Registry
        • Logged in Accounts
        • TypedPaths
        • WordWheelQuery
        • Page 5
      • Network Share
      • Exfiltration
        • RDP Clipboard
        • Exfil Exercise
        • DNS Over HTTPS
      • Evidence of Execution
        • Sum UAL
        • Office Apps Forensics
          • LastVisitedPidlMRU
          • File MRU
          • Trusted Documents
        • Run MRU
        • RecentDocs
        • FeatureUsage
        • BAM
          • DAM
        • Prefetch
        • Shimcache
        • RecentApps
        • AmCache
        • PCA
        • MUICache
        • UserAssist
        • SRUM
        • LNK Files
        • JumpLists
      • Hacktool Artifacts
        • DCSync
        • Impackets
          • GetUserSPN.py/Kerberoasting
          • Page
        • Psexec
        • Web Shells
        • BloodHound
      • Event Logs
        • Event Log IDs
          • SMB
            • 30803 Failed to Establish a Network Connection
            • 31010 SMB Client Failed to Connect
            • 551 SMB Auth Failed
            • SMB Forensics
          • 4740 Account Lockout
          • 4642 Logon
          • 5156 Show App IP Connections
        • Windows Defender
        • LOLBins
          • WebDav
          • Crashes (WER)
          • PowerShell
          • Scheduled Tasks
          • Services
          • WinRS
          • WinRM
          • RDP
            • 1024 RDP ClientActiveX is trying to connect
          • WMI
        • DNS Logs
        • Application NTDS.dit
        • Kerberos
        • Exchange
        • GPOs and OUs
        • Anti Forensics
      • 3rd Party Apps
        • IIS
        • Kubernetes
        • GitHub
        • Jenkins
        • Snowflake
        • Misc
          • Veeam
          • MongoDB
        • "TA Tools"
          • Ngrok
          • 7-Zip
          • PDQ Deploy
          • TotalCMD
          • WinSCP
        • Identity Apps
          • Okta
        • Microsoft
          • Microsoft Teams
          • VS Code
          • Excel
          • Notepad
        • SysInternals
          • PsExec.exe
        • RMM
          • ScreenConnect Forensics
          • AnyDesk
        • Zoom
        • Browser Forensics
          • Recovering Deleted History
          • Browser Artifacts
      • Example Page
    • Cheat Sheet
      • Red Team:
      • Windows Event Logs
      • Quick Wins
      • Docker
      • Admin
      • Zimmerman
    • Investigation
      • Malware Analysis
        • Macros Analysis
        • Packers
      • Persistence
        • Host Based Persistence Cheatsheet
        • M365 Persistence Cheatsheet
      • DFIR Tools
        • Volatility
        • Velociraptor
        • KAPE
        • Logman
      • Insider Threats
      • Scattered Identity
    • Internals
      • Structure
        • SMB
          • Admin
          • Attacks
        • Alternate Data Streams
        • Protocols
          • Wdigest
          • DPAPI
          • Kerberos
          • NetLogon
        • WinAPI
        • COM Objects
        • Files Types
        • DLLs
          • Attacks
            • Reflective DLL Injection
            • DLL Hijacking
        • Folders of Interest
      • Privileges
        • UAC
      • Applications
        • Werfault
        • Process Creation
        • Pipes
        • AMSI
        • LOLBins
          • xCyclopedia Index (EXEs)
          • WMI
          • Certutil.exe
          • Rundll32.exe
          • Schtasks.exe
          • Svchost.exe
          • DLLHOST.exe
          • MSIExec.exe
        • PowerShell
          • VBS
          • Forensics
          • Classes
          • Logging
          • PowerShell Modules
        • LSASS
          • Lsass Forensics
    • Active Directory
      • Internals
        • Sysvol
        • Attributes
      • Secure AD
        • Logs
        • Credentials
          • Restricted Admin Mode
          • LAPS
      • Attacks
        • Vulnerabilities
          • ViewState
          • ProxyShell
          • OWASSRF
        • Credential Theft
          • DCSync
        • ADCS
      • MSSQL
        • Admin
        • Attacks
    • MISC
      • Offensive Tool Analysis
      • Investigating Specific Activity
        • User Account Deleted
      • Dumping Domain Hashes with IFM Images
      • Lateral Movement
      • Advanced Obfuscation
      • SCCM
      • Malware Traffic
  • Linux
    • Forensics
      • Cron Jobs
      • File System Types and Timestamps
      • LD_PRELOAD
      • Linux Auditing Logs
      • example page
      • Process Accounting (pacct)
      • mlocate.db
    • SSH
    • Linux WebShells
    • Directories of Interest
    • Internals
      • Logs
      • File Descriptors
      • GTFOBins
  • Enterprise Architecture
    • CI/CD Pipline
      • Jenkins
    • Citrix
      • XenApp
      • Pentesting Guide
      • Forensics
    • Web Applications
      • JWT: JSON Web Tokens
      • Apache
        • CGI-Bins
      • ColdFusion
        • Attacking ColdFusion
    • The Cloud
      • AWS
        • Cases
        • Misconfigurations
        • Attacking AWS
          • SES
          • Privilege Escalation
        • Fundementals
          • Hierarchy
          • Roles
          • Security Services
          • IAM
            • Keys
          • CloudTrail
          • Services
            • S3
            • SES
      • Azure
        • Hunting
        • Admin
        • Securing Azure
          • CA Policies
        • CheatSheet
        • Detections
        • Forensics
        • Attacking Azure
          • Persistence
            • Cloud VMs
            • Applications
            • SSPR/MFA
          • Credential Theft
            • Golden SAML Theft
            • Attacking key vaults
            • Skeleton Keys (PTA Abuse)
            • Family of Client IDs
            • Token Theft
          • Initial Access
            • Subdomain Takeover
            • Authenticated Recon
            • Unauthenticated Recon
            • Password Spraying M365
            • Password Spraying OWA
            • OAuth 2.0 Abuse
            • Device code authentication abuse
            • M365 Business Email Compromise
          • Page 6
          • Test Page
        • Fundementals
          • Security/Service Principals
          • Tokens
          • Hierarchy
          • Roles
          • Architecture
          • Conditional Access
        • Logging
          • Audit Logs
      • M365
        • Forensics
          • Tokens
        • Business Email Compromise
        • Hardening
      • Cloud Labs
    • vSphere
      • Forensics
      • Hardening
      • Admin
    • Containers
      • Troubleshooting
      • Linxserver.io
      • Container Forensics
        • Docker Logs
      • Kubernetes
    • Troubleshooting
      • Cheatsheet
  • Mac
    • Forensics
      • Page 3
  • Attacker Information
    • Adversary Operations
      • c99 Webshell
      • Page 2
    • Actor Playbooks
      • TA Infrastructure
    • Abused Domains
  • IR Playbook
    • Activity from Unmanaged Host
    • Recommendations
  • Reverse Engineering
    • Python - Pyinstaller
Powered by GitBook
On this page
  • Log Locations
  • Hunting WebShells with Apache Logs
  • Get Specific Date/Time
  • Commonly Requested Webpage/File
  • Filter by IP
  • HTTP Response Code by IP
  • Find the ips that are causing the most number of 403s
  • Find Modified Files of Interest
  • Suspicious User Agents
  • Finding WebShell Interaction
  • Identifying Exfil/Database Dumping
  • Searching for SQL Injection/Queries/Dumps
  • Directory Enumeration
  • Recon Commands using Command Injection
  • AWK Versions
  1. Windows
  2. Forensics
  3. Hacktool Artifacts

Web Shells

PreviousPsexecNextBloodHound

Last updated 10 months ago

Log Locations

  • C:\inet\publogs\LogFiles (IIS)

  • C:\Windows\System32\LogFiles (IIS)

  • C:\Inetpub\vhosts\WEBSITENAME\logs\iis\W3SVC97\u_ex220901.log (IIS)

  • /var/log/httpd/ (Apache)

  • /var/log/apache/ (Apache)

Hunting WebShells with Apache Logs

Logs are crucial to tracking TAs activity, using them effectively will save time to stop the bleeding. Nginx logs are the same format as Apache logs, so these work for both.

Get Specific Date/Time

Filter logs by date and then use later commands to narrow down search.

grep '\[23/Dec/2020:22:59:[0-2][0-2]' /var/log/apache2/access.log

Commonly Requested Webpage/File

cat /var/log/apache2/access.log | cut -d ' ' -f 7 | sort | uniq -c | sort -n

Filter by IP

Lots of traffic from a specific IP could be indicative of recon/scanning or follow-on activity.

cat /var/log/apache2/access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -n

HTTP Response Code by IP

If TA is enumerating, they'll have lots of 404 or 302 request types. Lots of 200 response could be indicative of TA communicating with WebShell.

cat /var/log/apache2/access.log | grep IP | cut -d ' ' -f 9 | sort | uniq -c | sort -n

Filter what IP has most of specific response type.

ยป awk '($9 ~ /RESPONSE/)' /var/log/apache2/access.log | awk '{print $1,$7}' | uniq -c | sort -r

Find the ips that are causing the most number of 403s

This is tells me that a lot of requests are being made to xmlrpc.php by different ip addresses. Now I want to know what those ip addresses are.

awk '($9 ~ /403/)' /var/log/apache2/access.log | awk '{print $1,$7}' | uniq -c | sort

Find Modified Files of Interest

Identify recently modified/created files that are stored in web accessible areas (php, .asp, .aspx, .jsp, .png, .jpg, .zip, .py).

find . -mtime -1 | grep -ie 'php' -e 'asp' -e 'aspx' -e 'jsp' -e 'png' -e 'jpg' -e 'zip' -e '.py'

Suspicious User Agents

Security scanning tools commonly have identifying user agents. These can be edited within the tool itself so don't rely on it too much. It's good for catching low hanging fruit.

cat /var/log/apache2/access.log | grep -oie 'nessus' -e 'nmap' -e 'burp' -e 'bot' -e 'sqlmap' -e 'sql' -e 'nikto' -e 'vuln' -e 'exploit' | sort | uniq -c | sort -n

Print count all user agents

cat /var/log/apache2/access.log | cut -d ' ' -f 12 | sort | uniq -c | sort -n

Finding WebShell Interaction

For the majority of web traffic, the server requests will be in the form of GET requests. So, you can identify potentially malicious traffic by filtering web server access logs to look for the highest POST traffic and then searching for calls to URLs that include one of the common web shell file types (.php, .asp, .aspx, .jsp).

// Some code

Identifying Exfil/Database Dumping

Creating ZIP files and SQL dump commands could be IOAs for data exfiltration.

// Some code

Searching for SQL Injection/Queries/Dumps

SQL commands should be a very rare occurrence in standard web logs. Search for commands often passed during SQL injection such as โ€˜, %27, โ€“, SELECT, INSERT, UNION, CREATE, DECLARE, CAST, EXEC, and DELETE (this is only a subset and should be tailored to your environment). Regular expression searching with grep or PowerShell can lead to quick wins.

cat /var/log/apache2/access.log | grep -ie 'select' -e 'dump' -e 'from' -e 'tables' -e 'databases' -e 'union' -e '%27' -e 'create' -e 'declare' -e 'cast' -e 'exec' -e 'delete' -e 'cmd' -e 'null'

Directory Enumeration

Enumerating the web server file system is a common way for an adversary to identify the type of scripting language a web server is running and what scripts can be used to further escalate privileges. Directory enumeration is a noisy technique, and one of the easiest to spot.

// Some code

Recon Commands using Command Injection

TAs will want to probe the target for vulnerabilities and look for files of interest once the WebShell has been established. Identification of 'Which' commands can lead to WebShell discovery.

// Some code

AWK Versions

awk '{print $1}' combined_log         # requester ip address (%h)
awk '{print $2}' combined_log         # (%l) (the virtualhost being requested)
awk '{print $3}' combined_log         # userid (%u) (if basic auth was used)
awk '{print $4,5}' combined_log         # date/time (%t)
awk '{print $6}' combined_log         # Request Type (GET, POST, etc..)
awk '{print $7}' combined_log         # URL Requested (/about, or /blog or /xmlrpc.php) etc
awk '{print $8}' combined_log         # HTTP version 

awk '{print $9}' combined_log         # status code (%>s)
awk '{print $10}' combined_log        # size (%b)

awk '{print $11}' combined_log        # http referer 
awk '{print $12}' combined_log        # User Agent

awk -F\" '{print $2}' combined_log    # request line (%r)
awk -F\" '{print $4}' combined_log    # referer
awk -F\" '{print $6}' combined_log    # user agent

Example Logs to Practice
Webshell Compilation ArtifactsSWolfSecurity
https://zeroed.tech/blog/analysing-iis-compilation-artifacts/
GitHub - mIcHyAmRaNe/wso-webshell: ๐Ÿ•น wso php webshellGitHub
Most Common Webshell
Apache Logging Basics - The Ultimate Guide To LoggingLog Analysis | Log Monitoring by Loggly
Apache Logs
How to parse apache log files with AwkVidyut Luther's Website
Useful Awk Queries
Logo
Logo
Logo
Logo