blue tangle

For those following along with ATT&CK this entry is about  Server Software Component: Web Shell  which is now a sub-technique of T1505, specifically it is T1505.003. We can also look at T1090, which is the Command & Control technique Proxy . Today we're taking a look at the traces that ReGeorg leaves in web server access logs. ReGeorg is a "thick client" webshell that enables an adversary to create a SOCKS proxy via a .php, .aspx or .jsp script running on the compromised webserver, this can be used to pivot to internal networks. Pictured above is the client side, it establishes the connection to the shell on a compromised server. After this connection is established an adversary can use something like proxychains to SOCKSify tools on their local machine that they want to use to access networks connected to the webserver but inaccessible from the net. Above you can see nmap run via proxychains through ReGeorg, on the left ReGeorg reports on connections, in the r

For those following along with ATT&CK this entry is about Server Software Component: Web Shell which is now a sub-technique of  T1505, specifically it is  T1505.003.   If I can avoid combing through web access logs to find stuff like webshells I'll happily dodge it, having looked at the log artefacts left by a number of popular public domain webshells I've found a couple of easy detections based around Windows Event Log (WinEventLog). We're looking at webshells like "Con7ext", variants of "WSO" and "Alfa Shell": Specifically we are looking at the parts of the webshell that provide basic reconnaissance as to server components and functionality: How is the webshell checking if perl, python or wget are installed? In a rather noisy way that we can definitely hunt for: For IIS and a PHP shell the Splunk SPL to search for this looks something like: index=win10 sourcetype="WinEventLog:Security" EventCode=4688 Account_Name=IUSR Creator_P