Eliminate Web Shells (CM0106)

In Playbook

Details

  • ID: CM0106
  • Version: 1.0
  • Created: 14 March 2025
  • Modified: 14 March 2025
  • Type: Eliminate
  • Status: Active

Intended Outcome

Eliminating web shells removes malicious code from vulnerable web servers that enable initial access and persistence.

Introduction

A web shell is malicious code that is written to a vulnerable web server. Adversaries typically exploit server misconfigurations or software vulnerabilities to deploy web shells. Web shells provide adversaries with a foothold that enables them to execute commands, exfiltrate data, and upload additional files to expand access beyond the initial point of access.

Preparation

  • Verify that plans, procedures, and authorities are in place to enable rapid containment and eradication of adversary from the compromised server.
  • Take steps to prepare for the operational interruptions incurred by taking a web server offline.

Risks

  • Eliminating web shells may require down-time and thus disrupt the availability of the compromised web server.
  • Web shells are often used to achieve initial access and/or persistence. Additional tools, e.g. malware, are often deployed to enable the adversary to further compromise the environment. As such, additional countermeasures may be required to fully contain and eradicate the adversary from the compromised environment.

Guidance

Detecting Web Shells

The following detection logic should be considered components of a broader defense-in-depth strategy, not stand-alone solutions.
  • Compare files on web server with a known-good version. [Windiff](https://learn.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/how-to-use-windiff-utility) is a tool developed by Microsoft for file and directory comparison. Another option to consider is [dirChecker](https://github.com/nsacyber/Mitigating-Web-Shells/blob/master/dirChecker.ps1) by NSA Cyber.
  • Detect anomalous user agents, referrer headers, and IP Addresses in web server logs. This detection logic is likely to result in a high rate of false positives and should be continually monitored and refined.
  • Detect host-based artifacts for common web shells. Consider using a security scanning tool like [YARA](https://github.com/virustotal/yara/) and the [core web shell detection signatures](https://github.com/nsacyber/Mitigating-Web-Shells/blob/master/core.webshell_detection.yara)
  • Detect network-based artifacts for common web shells.
  • Detect unexpected network flows.

Eliminating Web Shells

  • Isolate the compromised web server to reduce the likelihood of lateral movement.
  • Preserve artifacts to enable further analysis.
    • Disk and memory artifacts.
    • Logs (operating system, web application, access, error, web application firewall, reverse proxy, content delivery network, DMZ firewall, and database logs).
  • Delete the web shell.
  • Change passwords for the web administrator, database user, hosting account, and remote access (FTP, SSH, etc.)
  • Investigate the underlying vulnerability/cause of the breach.
  • Restore from clean backup.
  • Having identified the underlying vulnerability / misconfiguration that led to the breach remediate by patching and hardening the web application and/or web server.

References

  • ID: CM0106
  • Version: 1.0
  • Created: 13 March 2025
  • Modified: 13 March 2025
  • Type: Eliminate