Hunting and Investigating malicious web shells with Magnet AXIOM

A malicious web shell is a script that can be uploaded to a web server to enable remote administration of the infected host machine. A web shell can be written in any language supported by the host web server, the case study in this presentation was written in ASP. Using network reconnaissance tools, a threat actor can identify vulnerabilities to exploited on the target machine resulting in the successful installation of a web shell. In this case study multiple vulnerabilities existed in the Content Management Systems (CMS), once blank.aspx was successfully uploaded, the threat actor used the web shell to leverage other exploitation techniques to escalate privileges and to issue commands remotely. These commands were related to the privilege and functionality available to the web server and included the ability to add, delete and execute files as well as the ability to run PowerShell commands to overwrite file system timestamps in an attempt to evade detection. During this session we will look at ways to automate the identification of malicious web shells on an infected machine. Associating the PowerShell commands and other malicious files to ensure a full understanding of the impacted data, while ensuring the complete eradication of the threat. This presentation involves a real life case study where a malicious web shell was collecting passwords and credit card details from a ecommerce site, along with research on the web shell post engagement.