Investigating A Web Shell Intrusion With Trend Micro™ Managed XDR
Resolution and recommendations
Web shells are still a common threat faced by web server owners that highlight the need to be vigilant in monitoring and ensuring that servers adhere to best practices in security management and server configurations. The following bullets enumerate how the Managed XDR team responded to the incident discussed in this blog:
Upon discovery of additional payloads from the threat, we promptly isolated the endpoint to contain the threat and prevent it from further affecting other hosts. These additional payloads were collected by the team and were investigated and relayed to the analysis team for proper detection. Additional server logs were collected remotely to investigate the activity related to the web shells.
From the result of investigations and communication with the customer, the source of web shell upload appears to originate from unrestricted upload files in the server. We recommended disabling the pages until proper file validation, restricting of file upload, and appropriate authorization is setup for the upload functionality.
During the investigation we also observed the host’s lack of proper security agent (Endpoint Protection Platform) installation; installing proper security agents can prevent and mitigate impact, as they will detect web shells upon arrival.
To better understand the incident, impact of the threat, and which action items are needed to be prioritized – an incident call was conducted with the customer. An Incident report containing the results of the incident analysis and recommendations was also created and shared with the customer to serve as a document reference.
To safeguard against similar threats, we recommend the following security measures to help organizations and enterprises effectively defend against web shell attacks:
- Validate and sanitize input. Make sure that all inputs on the web pages are validated and sanitized to prevent injection attacks.
- Implement authentication processes and restrict access. Implement strong authentication methods for any sensitive endpoints and restrict access to authorized users only.
- Patch your systems and applications. Review your server and web application for any known vulnerabilities. Ensure that the latest security patches are applied, especially to web frameworks or server software like IIS.
- Ensure security products are configured according to best practices. Make sure all security tools in place, such as endpoint detection, firewalls, and monitoring systems, are properly configured and updated according to vendor best practices to maintain robust defenses against threats.
Trend Vision One threat intelligence
To stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat Insights within Trend Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and be better prepared for emerging threats. It offers comprehensive information on threat actors, their malicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and respond effectively to threats.
Trend Vision One Intelligence Reports App [IOC Sweeping]
- Investigating A Web Shell Intrusion With Trend Micro™ Managed XDR blog IOCs
Trend Vision One Threat Insights App
Hunting queries
Trend Vision One Search App
Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.
Potential webshell command execution:
((processFilePath:w3wp.exe AND objectFilePath:(cmd.exe OR powershell.exe)) OR parentFilePath:w3wp.exe AND processFilePath:(cmd.exe OR powershell.exe)) AND eventSubId: 2 AND NOT objectFilePath:(conhost.exe)
More hunting queries are available for Vision One customers with Threat Insights Entitlement enabled.
Indicators of compromise
Indicators of Comrpomise (IoCs) can be found in this link.
Read More HERE
