Web Shells
Log Locations
C:\inet\publogs\LogFiles (IIS)
C:\Windows\System32\LogFiles (IIS)
C:\Inetpub\vhosts\WEBSITENAME\logs\iis\W3SVC97\u_ex220901.log (IIS)
/var/log/httpd/ (Apache)
/var/log/apache/ (Apache)
Hunting WebShells with Apache Logs
Logs are crucial to tracking TAs activity, using them effectively will save time to stop the bleeding. Nginx logs are the same format as Apache logs, so these work for both.
Get Specific Date/Time
Filter logs by date and then use later commands to narrow down search.
Commonly Requested Webpage/File
Filter by IP
Lots of traffic from a specific IP could be indicative of recon/scanning or follow-on activity.
HTTP Response Code by IP
If TA is enumerating, they'll have lots of 404 or 302 request types. Lots of 200 response could be indicative of TA communicating with WebShell.
Filter what IP has most of specific response type.
Find the ips that are causing the most number of 403s
This is tells me that a lot of requests are being made to xmlrpc.php by different ip addresses. Now I want to know what those ip addresses are.
Find Modified Files of Interest
Identify recently modified/created files that are stored in web accessible areas (php, .asp, .aspx, .jsp, .png, .jpg, .zip, .py).
Suspicious User Agents
Security scanning tools commonly have identifying user agents. These can be edited within the tool itself so don't rely on it too much. It's good for catching low hanging fruit.
Print count all user agents
Finding WebShell Interaction
For the majority of web traffic, the server requests will be in the form of GET requests. So, you can identify potentially malicious traffic by filtering web server access logs to look for the highest POST traffic and then searching for calls to URLs that include one of the common web shell file types (.php, .asp, .aspx, .jsp).
Identifying Exfil/Database Dumping
Creating ZIP files and SQL dump commands could be IOAs for data exfiltration.
Searching for SQL Injection/Queries/Dumps
SQL commands should be a very rare occurrence in standard web logs. Search for commands often passed during SQL injection such as โ, %27, โ, SELECT, INSERT, UNION, CREATE, DECLARE, CAST, EXEC, and DELETE (this is only a subset and should be tailored to your environment). Regular expression searching with grep or PowerShell can lead to quick wins.
Directory Enumeration
Enumerating the web server file system is a common way for an adversary to identify the type of scripting language a web server is running and what scripts can be used to further escalate privileges. Directory enumeration is a noisy technique, and one of the easiest to spot.
Recon Commands using Command Injection
TAs will want to probe the target for vulnerabilities and look for files of interest once the WebShell has been established. Identification of 'Which' commands can lead to WebShell discovery.
AWK Versions
Last updated