Detecting Malicious Web Shells: Analysis of Persistence and TTPs
- [01] Immediate impact: Attackers utilize web shells to maintain persistent access after exploitation, allowing for long-term data theft or further network compromise.
- [02] Affected systems: Any web server vulnerable to arbitrary file writes or remote code execution is susceptible to unauthorized shell placement.
- [03] Remediation: Enforce strict file integrity monitoring and restrict write permissions in web directories to prevent the execution of malicious scripts.
Web shells remain a primary method for threat actors to maintain persistent access to compromised web servers. According to analysis from the SANS Internet Storm Center (ISC), attackers frequently leverage “arbitrary file write” and RCE vulnerabilities to plant small, inconspicuous files that facilitate later payload execution. This persistence phase is critical because it allows an attacker to return to a system even if the initial vulnerability is patched, provided the shell remains undetected.
Web Shell Persistence and File Naming Conventions
One of the most effective TTP sets observed involves the careful selection of filenames. Attackers do not simply use random strings; they often choose names that blend in with the existing directory structure. For instance, on a server running a common CMS, an attacker might name a shell config-backup.php or wp-content-cache.php. This tactic is designed to evade manual inspection by administrators and simple SIEM alerts that look for obvious anomalies.
The goal of detecting malicious web shells on web servers becomes significantly more difficult when these files mimic legitimate system components. Security teams must look beyond filenames and analyze the actual content and behavior of files in web-accessible directories to identify unauthorized modifications.
Deployment via CVE Exploitation
The lifecycle of a web shell typically begins with an initial compromise. Most often, this involves a Supply Chain Attack or a Zero-Day in a web application. Once access is gained, the actor uses an RCE to execute a command that pulls or writes the shell code to the disk. By understanding how to mitigate RCE persistence mechanisms, SOC analysts can focus on the critical window between the initial exploit and the establishment of a permanent backdoor.
Parasitic Attacks and Credential Risks
An interesting trend highlighted by the SANS ISC is the rise of “parasitic” attacks. In these scenarios, a second attacker discovers a web shell already placed on a server by a previous actor. Because many web shells are not properly secured, the second attacker can hijack the existing C2 channel to maintain their own access or perform Lateral Movement within the network.
Furthermore, many web shells available in the underground economy come with pre-set backdoor credentials. Less sophisticated attackers may overlook these hardcoded passwords, essentially leaving a backdoor within their backdoor. This creates a multi-layered security risk where the server is vulnerable not just to the primary attacker, but to any entity capable of scanning for known web shell signatures and testing default credentials.
Indicators of Compromise and Detection Strategies
To improve the chances of identifying unauthorized web shells via behavioral analysis, defenders should monitor for specific IoC patterns. These include:
- Web server processes (such as
www-dataorapache) spawning unusual child processes like/bin/shorcmd.exe. - New files created in directories that should be static or read-only, specifically those with high entropy or obfuscated code.
- Network connections originating from the web server to unusual external IP addresses, suggesting C2 activity or data exfiltration.
Deploying an EDR solution can help identify these process-level anomalies. However, for organizations operating at scale, a Zero Trust architecture that limits the permissions of the web server user is essential. If the web user cannot write to the webroot, the majority of web shell attacks will fail at the delivery stage.
Hardening and Remediation
Hardening the web environment requires a multi-faceted approach. First, prioritize patching known CVE entries that allow for file uploads. Second, implement strict file system permissions. If an application does not require the ability to upload files, the directory should be mounted as read-only. For applications that do require uploads, ensure those files are stored in a non-executable directory and are scanned for malicious signatures before being saved to the disk.
Advertisement