By George, lets take a good, long look at ReGeorg
For those following along with ATT&CK this entry is about Server Software Component: Web Shell which is now a sub-technique of T1505, specifically it is T1505.003. We can also look at T1090, which is the Command & Control technique Proxy . Today we're taking a look at the traces that ReGeorg leaves in web server access logs. ReGeorg is a "thick client" webshell that enables an adversary to create a SOCKS proxy via a .php, .aspx or .jsp script running on the compromised webserver, this can be used to pivot to internal networks. Pictured above is the client side, it establishes the connection to the shell on a compromised server. After this connection is established an adversary can use something like proxychains to SOCKSify tools on their local machine that they want to use to access networks connected to the webserver but inaccessible from the net. Above you can see nmap run via proxychains through ReGeorg, on the left ReGeorg reports on connections, in the r