One of the most powerful tools in a threat actor’s arsenal is a web shell, used to infect servers — including those that aren’t internet-facing — to maintain persistent network access. Easily modified, they’re hard to detect by system administrators.
To give them some help, the U.S. National Security Agency and the Australian Signals Directorate — their respective countries’ electronic spy agencies — have issued a detailed 17-page report on detecting and preventing web shells from being installed on systems.
“Preventing web shells should be a priority for both internet-facing and internal web servers,” according to the partners. “Good cyber hygiene and a defence-in-depth approach based on the mitigations below provide significant hardening against web shells.
“While some web shells do not persist, running entirely from memory, and others exist only as binaries or scripts in a web directory, still others can be deeply rooted with sophisticated persistence mechanisms. Regardless, they may be part of a much larger intrusion campaign. A critical focus once a web shell is discovered should be on how far the attacker penetrated within the network.
“Packet capture (PCAP) and network flow data can help to determine if the web shell was being used to pivot within the network, and to where. If such a pivot is cleaned up without discovering the full extent of the intrusion and evicting the attacker, that access may be regained through other channels either immediately or at a later time.”
Their practical advice includes scripts that can be used to compare the directory of an active website against a known-good image of that site, how to use Splunk queries for detecting anomalous URIs in web traffic; scripts for using Microsoft’s Powershell to analyze Internet Information Services (IIS) logs for suspicious activity; scripts for analyzing Apache logs; network signatures of traffic for common web shells and more.
Web shells are difficult to detect as they are easily modified by attackers and often employ encryption, encoding, and
obfuscation, the report notes. Detection techniques include
- comparing a verified benign version of the web application (i.e., a “known-good”) against the production version
- web traffic anomaly detection
- watching for unexpected network flows
In addition, some endpoint detection and remediation (EDR) solutions and enhanced host logging solutions may be able to detect web shells. Snort rules can be used to detect common web shell files.
Prevention strategies come down to defence-in-depth and include:
- making patching of web applications a priority. Attackers sometimes target vulnerabilities in these applications within 24 hours of a patch release
- limiting web app permissions. Web applications should not have permission to write directly to a web-accessible directory or modify web-accessible code
- installing Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAF);
- network segregation
- and hardening web servers by blocking access to unused ports or services and performing vulnerability scans can help to identify unknown weaknesses
