Web Shells: Types, detection, and prevention

In today’s interconnected digital landscape, attackers are constantly evolving their techniques One of the most persistent threats to web servers is the use of web shells.

In this blog series, we explore what web shells are, why they are a growing concern for security teams, and practical methods to detect and mitigate them through threat hunting.

This first post covers the basics of web shells and introduces key threat hunting techniques. In subsequent parts, we will break down each method in detail, starting with network monitoring in Part 2.

What are web shells?

A web shell is a malicious script or program that enables an attacker to gain remote access and control over a web server. After a web shell is installed on a target server, an attacker can use it to execute arbitrary commands, steal sensitive data, or initiate additional attacks on other connected systems in the compromised network. Web shells can be difficult to detect and remove, as they are often designed to blend in with legitimate web server files and activity.

The prevalence of web shells in the current cybersecurity landscape is growing because of their efficacy in facilitating attackers to gain remote access and control over web servers. They are often deployed as part of a larger cyber-attack campaign, and can be used to maintain persistence in a targeted network or to carry out further malicious activities, such as data theft or ransomware attacks. 

Moreover, web shells are often sold as a service in underground marketplaces, making them easily accessible to threat actors of varying skill levels. Therefore, it is vital to promptly identify web shells as soon as possible in order to prevent them from being used as a foothold for further attacks and limit the amount of damage that can be done. Early discovery allows organizations to take proactive measures to improve their security posture and prevent future attacks.

What is threat hunting?

Threat hunting is a proactive cybersecurity approach that involves actively seeking and examining potential threats and vulnerabilities, rather than passively relying on automated security solutions to detect them.

Threat hunting involves a combination of manual analysis, automated tools, and human expertise to identify potential indicators of compromise (IOCs) and security threats that may have been missed by traditional security controls.

The objective of threat hunting for web shells is to detect and remove any web shells that might have been installed on a target server, as well as identify any other potential vulnerabilities or indicators of compromise that may indicate a larger attack or intrusion. By proactively searching for web shells and other threats, organizations can more effectively protect their web servers and other critical assets from cyber-attacks.

Types of web shells threat hunting

Threat hunting for web shells can be performed using a variety of techniques, depending on the environment and the tools available. Some possible techniques are:

• Network monitoring: This involves the surveillance of network traffic to detect any suspicious activity, such as traffic to known command-and-control (C2) servers or traffic that matches the characteristics of web shell traffic.
• Log analysis: This involves analyzing logs from web servers, firewalls, and other sources for indicators of compromise (IOCs) related to web shells, such as abnormal HTTP traffic or suspicious user activity.
• File system analysis: This involves searching file systems for files and directories that are commonly used by web shells, such as PHP files with base64-encoded data or ASPX files with obfuscated code.
• Process monitoring: This involves monitoring running processes for suspicious activity, such as processes that are spawning child processes or running suspicious shell commands.
• Memory analysis: This involves analyzing the memory of running processes for signs of web shell activity, such as strings that match known web shell signatures.

The strategies above can be utilized in diverse web server environments, including Exchange servers, SharePoint servers, IIS web servers, Apache web servers, Nginx web servers or LiteSpeed web servers. However, the specific tools and methods used may vary depending on the environment and the particular web server software in use. 

For example, techniques that are effective for detecting web shells on Apache web servers may not be as effective for detecting web shells on IIS web servers. It's important to have a good understanding of the environment in question and the types of web server software that are being used in order to select the most appropriate techniques for threat hunting.

Detecting web shells using any technique can be challenging, as they are usually designed to evade detection and hide their activity. Therefore, it's important to use a combination of techniques to detect and respond to web shell attacks on externally facing web server systems.

Stay tuned for Part 2 of the blog series where we will explore how network monitoring is used to detect and prevent web shells like China Chopper.

If you want to know more about CPX's approach to threat hunting and detection, get in touch with our experts at ContactUs@cpx.net.