Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor attack framework discussion today. We're looking at Web gel. So what, that let's go ahead and jump into our objectives.
00:12
So today's objectives are as follows. We're going to be describing what Web shell is within the minor attack friend work. We're going to look at some examples of how it has been used. We're gonna look at some mitigation techniques, and then we're going to discuss some detection techniques as well.
00:31
So within minor
00:33
Web, Shell is essentially a script that takes advantage of accessible Web servers. And so something that is either internal, that maybe a serving at Web content, which is sometimes the case with internal file systems, or like SharePoint servers or things of that nature. But that's changed a lot on then.
00:53
Typically, what I see
00:55
or you've got some type of device. This case, it's a server,
01:00
and that's www there, and it sits out on the Internet somewhere, and then it connects back into some type of infrastructure. Whatever the case may be there, and so you probably have some type of firewall or something like that in place
01:18
that's helping to keep this safe and keep it deems ead.
01:21
But sometimes what we see
01:23
is these aren't always the most secure, and they kind of work outside of the far wall in some cases, depending on how your rule sets or set up or whatever the case may be. And so this allows a threat actor to use the system in a way or in ways that the administrator may not have intended to either attack and users
01:42
and still personal information, or to further compromise the organization systems. Essentially, using
01:48
this device is a point to move laterally further into the network. Now, some types of Web shell tools upon doing some research and looking through these are just a few. So we've got a SPX spy, which is a Web shell that takes advantage of DOT Net and his P.
02:05
We've got Re George, which is uses Python 2.7
02:09
and allows users to create a TCP circuit. The valid http requests
02:15
We've got an tack, which is a Web show written in a S p dot net, which utilizes power shells that we've talked a lot about power shell on how powerful it is. It's in the name folks power shell. We looked at China Chopper here. So essentially, this is a simple backdoor two key components. Web Shell that provides commanding control functions
02:35
and text based Web shell
02:38
payload. So
02:39
these are just a small percentage of the tools that are out there. And when I see a lot of times, especially with like a bug bounties or with Web attacks and things of that nature most of the time threat actors air taking advantage of things like SQL injection, cross site scripting things of that nature.
03:00
But this particular
03:01
vector is one of many ways in which Web services Web applications, externally facing Web devices, are taking being taken advantage of.
03:14
Now let's go ahead and talk at a high level on some mitigation techniques so we can ensure that least privilege is practiced on account. So we've talked about this time and time again,
03:24
but ensuring that users on Lee have what is required to do their jobs and their tax is important. And then when we look at external server accounts, they should not match internal accounts in the event of a compromising, you're saying Well, OK, well, that's an interesting statement. How does that work. I mean, so essentially what you're doing again
03:45
is we've got a Web server, right?
03:47
And that Web server has essentially an account that either you have locally or elsewhere. But the problem is, is that the way I'm looking at this is if you've got a domain account that allows internal access to, let's say, your workstation and things of that nature and you can use it on other systems,
04:06
then if this domain account on this is compromised or it's used and a threat actor gets into it,
04:12
they now have access to everything else. But if this account is local to the system
04:17
for management purposes, or whatever the case may be, and for some reason that account is compromised for some reason,
04:25
then really, that accesses local right? And so that kind of cuts everything off and keeps that threat actor, at least on that system for the time being, until they're able to maybe do something else or attempt to move laterally to some other vulnerability. But if you've done the proper segmentation and this device is dee emceed
04:43
and the accounts or separate and things of that nature, then
04:46
you don't have to worry about it, but you know it's except for, of course, cleaning up the system. But when you use the same account across the organization, as well as for managing this system,
04:57
let's say it's an office 365 account that's tied to it. OK, they may not be able to get any further here because we've got a d M Z,
05:04
but they can then just go and use that account to maybe long into office 365 And chances are, if you're administering a Web server and you're not practicing least privilege and kind of what's necessary to do your job function, chances are you're probably the person wearing the office 365 hand as well, And so that could lead to a compromise of the tenant.
05:24
If you're not separating out your administrative from your normal account
05:29
and then, of course, insure that server software is up to date, that's a really good point. A Zafar is what I've seen with
05:35
especially external scanning, Justin, external scanning and things that nature number of times. We find that
05:43
the systems that are not up to date are compounded with issues because they're not running current versions of Apache per Se,
05:50
and they're also not running current versions of PHP. And so it's very odd most of the time for me that I run into a new organization that's running its own systems externally,
06:02
and I'll find that Apache is not up to date. But PHP is good, right? I usually see both of those instances where there's a number of things that aren't updated, and that just makes the attack surface that much wider on that particular system. So keeping things up today and doing these privileges a great way
06:19
to reduce the threat surface here, the attack surface.
06:24
So as far as detection is concerned,
06:28
process monitoring may be used to the tech Web servers that perform suspicious activity, such as running command, prompt or accessing files that are not in the Web directories. And so threat Actors will try to bypass the Web directory to get into other system directories and get too sensitive files and things of that nature. So those activities are taking place.
06:46
You could have a threat actor on your hands that is trying to get into something
06:50
and then log authentication attempts and look for unusual patterns
06:56
again any time you start to see maybe a systems being hammered
07:00
right with Logan attempts and it's trying maybe dictionary style attacks or something like that. If you can't block every I p address, there may be some level of risk that you have to accept that you can do your best there to prevent folks from pounding away at the server. But if somebody suddenly gets in
07:16
and then those attacks stop,
07:20
did they get enter? Did they move on? Right. So you have to make sure that you're reviewing those things regularly and as you're going through, like a dictionary type attack and reviewing it and you see Okay, they tried, they tried, they tried, they tried, they tried. And suddenly there's this last line and they fail
07:38
and it stops. And then you notice So there's an account that would have come after that. If we're doing alphabetical order here and it successfully logged in okay, you probably need to do some of you, and you may have somebody on your system,
07:50
so let's go ahead and do a quick check on learning True or false Web shells allow threat actors to take advantage of Web servers to gain redundant access or persistence on the system.
08:05
All right, well, if you need additional time, please pause the video and take it now. So this particular statement makes sense, right? They can take advantage of Web servers
08:16
using Web shells, and you can gain redundant access. Persistence is essentially what both of these things mean, so it's either persistence or redundant access. However, you want to say it on the system. So in this case, this particular statement is a true statement.
08:33
Now let's go ahead and jump over to our summary. So in some way today, we described what a Web shell is.
08:39
We looked at some tools. We talked about some mitigation techniques, and we talked detection techniques again. There's no silver bullet in any of these areas. You'll probably start to notice. Some inter lane between, like Web Shell, could also use power show and
08:56
some of the mitigation techniques. Here are mitigation techniques and privilege escalation areas, and some of the detection techniques are detection techniques elsewhere.
09:05
And so there's a lot of dovetailing between these different components, and you'll see a number of the 80 p groups and things of that nature between multiple vectors and things of that nature, but it's still beneficial to talk about, you know, a lot of these individually and bring up some unique cases with each. So what? That I want to thank you for your time today,
09:26
and I look forward to seeing you again
09:28
soon.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor