Probing A Web Shell Intrusion Using Trend Micro™ Managed XDR
Solution and suggestions
Web shells continue to pose a prevalent threat to web server proprietors, underscoring the necessity for constant vigilance in monitoring and ensuring that servers conform to the highest standards in security management and server configurations. Here are the specifics of how the Managed XDR team reacted to the incident delved into in this blog:
Upon detecting additional payloads from the threat, immediate steps were taken to segregate the endpoint, thus containing the threat and averting any further impact on other hosts. The team diligently gathered these additional payloads for investigation and then relayed them to the analysis team for a thorough detection process. Furthermore, additional server logs were remotely collected to delve into the activities associated with the web shells.
Following the investigations and discussions with the customer, the investigation pinpointed that the source of the web shell upload seemingly traces back to the unrestricted upload files on the server. Hence, the recommendation was made to deactivate these pages until rigorous file validation processes are established, file uploads are restricted, and proper authorization mechanisms are implemented for the upload functionality.
During the investigation, it was noted that the host lacked the implementation of a proper security agent (Endpoint Protection Platform); the installation of well-suited security agents can serve as a preventive measure, minimizing the impact by promptly detecting web shells upon their arrival.
To gain deeper insights into the incident, understand the threat’s impact, and prioritize necessary actions, an incident call was arranged with the customer. Moreover, an Incident report was generated, containing the findings from the incident analysis along with recommendations, and was shared with the customer to serve as a point of reference.
To shield against similar threats, the following security measures are recommended to aid organizations and enterprises in effectively fortifying their defenses against web shell attacks:
- Validate and cleanse inputs. Ensure all inputs on web pages undergo proper validation and sanitization to avert injection attacks.
- Deploy authentication protocols and limit access. Enforce robust authentication methods for sensitive endpoints and restrict access solely to authorized users.
- Update your systems and applications. Thoroughly examine your server and web application for any known vulnerabilities. Keep abreast of applying the latest security patches, particularly to web frameworks or server software like IIS.
- Ensure configuration of security products aligns with best practices. Assure that all security tools in place, such as endpoint detection systems, firewalls, and monitoring solutions, are appropriately configured and kept up-to-date in alignment with vendor-recommended practices to uphold solid defenses against threats.
Trend Vision One threat intelligence
To preempt evolving threats, Trend Micro customers can access a variety of Intelligence Reports and Threat Insights within Trend Vision One. These Threat Insights aid customers in staying ahead of potential cyber threats, thus ensuring preparedness for emerging threats. It furnishes comprehensive details concerning threat actors, their malevolent activities, and the methodologies they employ. Leveraging this intelligence empowers customers in proactively safeguarding their environments, mitigating risks, and effectively responding to threats.
Trend Vision One Intelligence Reports App [IOC Sweeping]
- Probing A Web Shell Intrusion With Trend Micro™ Managed XDR blog IOCs
Trend Vision One Threat Insights App
Surveillance queries
Trend Vision One Search App
Trend Vision One clients can leverage the Search App to match or scout for the malevolent indicators detailed in this blog post within their dataset.
Potential scenarios involving webshell command execution:
((processFilePath:w3wp.exe AND objectFilePath:(cmd.exe OR powershell.exe)) OR parentFilePath:w3wp.exe AND processFilePath:(cmd.exe OR powershell.exe)) AND eventSubId: 2 AND NOT objectFilePath:(conhost.exe)
Additional surveillance queries are accessible to Vision One users with Threat Insights Entitlement enabled.
Indications of compromise
Indicators of Compromise (IoCs) are accessible via this link.
About Author
