Security News > 2020 > April > Intelligence Agencies Share Web Shell Detection Techniques
The United Sates National Security Agency and the Australian Signals Directorate have issued a joint Cybersecurity Information Sheet that provides details on vulnerabilities exploited by threat actors to install web shell malware on web servers.
Software usually deployed on a victim's web server, web shells can be used for command execution, providing attackers with persistent access to a compromised environment.
To install web shells, adversaries typically target vulnerabilities in web applications or upload code to existing compromised systems.
Although Internet-facing servers are usually expected to be targeted for web shell installation, internal systems that are not Internet-facing are often targeted as well, as they are more vulnerable due to lagging patch management or permissive security requirements, the joint CSI from the US and Australian foreign spy agency explains.
The advisory also provides security teams with scripts they can use to compare a website with a known-good image, Splunk queries for identifying anomalous URIs in web traffic, an Internet Information Services log analysis tool, signatures for the network traffic of common web shells, details on how to identify unexpected network flows and abnormal process invocations, a list of commonly exploited web application vulnerabilities, and HIPS rules for blocking changes to web-accessible directories.