Web Shell 101 Joe Schottman InfoSeCon 2018 Oct. 26, 2018 About Me
Senior Security Analyst for BB&T
Legal Stuff
2 How To Reach Me
@JoeSchottman on Twitter [email protected] www.joeschottman.com Add me on LinkedIn Find me on local Slacks
3 Agenda
What is a Web Shell? How do Web Shells work? How can you detect them?
Not going to cover how to use them 4 Definitions for this talk
5 If you’re playing security conference bingo
6 First, a diversion Equifax hack
▪ ▪ ▪
8 Equifax hack
9 Equifax hack
10 Equifax hack
11 “
12 “
13 What is a Web Shell?
14 A subset of malware that runs on web servers
15 Used by APT groups
16 But also script kiddies
17 Someone else’s code
▪ PHP ▪ JSP ▪ Perl ▪ Ruby ▪ Python ▪ Shell Scripts ▪ ASP
18 Mostly scripting languages
19 Designed to control your server via HTTP
20 Imagine an evil web application
21 Executes just like your web applications
22 Unless the attacker takes steps to avoid it...
23 Used for different purposes
24 Hidden in different ways
25 How do they get on systems?
26 Web Shells are not the initial attack
27 Why at least two problems?
▪ ▪ ▪
28 Let’s consider where in the attack Web Shells are used
▪ ▪
29 Cyber Kill Chain
30 ATT&CK
Discovery Lateral movement Collection Exfiltration Command and control
31 ATT&CK
32 Time to engage incident response
▪
▪ ▪
33 A funny aside
34 Metasploit makes some Web Shells easy
35 Detecting Web Shells Strategies
38
39 You do get permission before doing research, right? VirusTotal
41 File integrity monitoring
42 In an ideal world...
▪ ▪ ▪
43 Also in an ideal world...
44 Conduct tests - put new files on your web servers and see how long detection takes. File system techniques
46 Slide on YARA here
47 Dirty Word List
48 Look for encoded or encrypted content
49 Don’t forget the database
50 Log Files
51 Log Files
52 Log Files
53 Network analysis
54 Endpoint anomaly detection
55 THANKS!
56 CREDITS
▪ ▪
57 PRESENTATION DESIGN
▪ Dosis ▪ Titillium Web
#d3ebd5 · #80bfb7 · #0b87a1 · #01597f · #003b55
58