By George, lets take a good, long look at ReGeorg
For those following along with ATT&CK this entry is about Server Software Component: Web Shell which is now a sub-technique of T1505, specifically it is T1505.003. We can also look at T1090, which is the Command & Control technique Proxy.
Pictured above is the client side, it establishes the connection to the shell on a compromised server. After this connection is established an adversary can use something like proxychains to SOCKSify tools on their local machine that they want to use to access networks connected to the webserver but inaccessible from the net.
So to go through this SPL a little, in the first line we are looking for POSTs and we are providing a list of potential uri_query values that we have observed ReGeorg to use. In the second line we are looking for any status equal to or below 403 (perhaps in an overabundance of caution, but hey).
Today we're taking a look at the traces that ReGeorg leaves in web server access logs.
ReGeorg is a "thick client" webshell that enables an adversary to create a SOCKS proxy via a .php, .aspx or .jsp script running on the compromised webserver, this can be used to pivot to internal networks.
Above you can see nmap run via proxychains through ReGeorg, on the left ReGeorg reports on connections, in the right terminal window you can see proxychains reporting on nmap's progress. Worth noting running nmap through ReGeorg is not that efficient, but generates good traffic for us to look at.
Speaking of traffic, we can look at the uri_query field for evidence left by ReGeorg
index=win10 sourcetype=iis cs_method=POST AND cs_uri_query IN ("*cmd=read*", "*connect&target*", "*cmd=connect*", "*cmd=disconnect*", "*&port*", "*cmd=forward*")| where sc_status <= 403| fillnull value=NULL cs_User_Agent cs_Referer| search cs_User_Agent="NULL" cs_Referer="NULL"| stats count as Count values(cs_uri_query) BY cs_uri_stem| sort -Count
In the next line we are ensuring that any null fields are populated and searchable so we can pipe to a subsearch for events that have no referrer or user-agent. Finally we perform a stats count and list the uri_query field values associated with the uri_stem field and then sort by the count.
As you can see from the Splunk screenshot above, ReGeorg is quite noisy if you know where to look.
Sigma rule for this on the way, happy hunting everyone!