U/OO/134094-20 PP-20-0901 21 APRIL 2020
NSA & ASD: Detect and Prevent Web Shell Malware
typical for a web server, so web shell requests will appear anomalous. In addition, web shells routing attacker traffic will
default to the web server’s user agent and IP address, which should be unusual in network traffic. Uniform Resource
Identifiers (URIs) exclusively accessed by anomalous user agents are potentially web shells. Finally, some attackers
neglect to disguise web shell request “referer [sic] headers”
1
as normal traffic. Consequently, requests with missing or
unusual referer headers could indicate web shell presence. Centralized log-querying capabilities, such as Security
Information and Event Management (SIEM) systems, provide a means to implement this analytic. If such a capability is
not available, administrators may use scripting to parse web server logs to identify possible web shell URIs. Example
Splunk
®2
queries (
Appendix B
), scripts for analyzing log data (
Appendix C
), and additional information about detecting
web traffic anomalies are maintained at https://github.com/nsacyber/Mitigating-Web-Shells
.
Signature-Based Detection
From the host perspective, signature-based detection is unreliable because web shells may be obfuscated and are easy
to modify. However, some cyber actors use popular web shells (e.g., China Chopper, WSO, C99, B374K, R57) with
minimal modification. In these cases, fingerprint or expression-based detection may be possible. A collection of Snort
®3
rules to detect common web shell files, scanning instructions, and additional information about signature-based detection
are maintained at https://github.com/nsacyber/Mitigating-Web-Shells
.
From the network perspective, signature-based detection of web shells is unreliable because web shell communications
are frequently obfuscated or encrypted. Additionally, “hard-coded” values like variable names are easily modified to further
evade detection. While unlikely to discover unknown web shells, signature-based network detection can help identify
additional infections of a known web shell.
Appendix D
provides a collection of signatures to detect network
communication from common, unmodified or slightly modified web shells sometimes deployed by attackers. This list is
also maintained at https://github.com/nsacyber/Mitigating-Web-Shells
.
Unexpected Network Flows
In some cases, attackers use web shells on systems other than web servers (e.g., workstations). These web shells
operate on rogue web server applications and can evade file-based detection by running exclusively in memory (i.e.,
fileless execution). While functionally similar to a traditional Remote Access Tool (RAT), these types of web shells allow
attackers to easily chain malicious traffic through a uniform platform. These types of web shells can be detected on well-
managed networks because they listen and respond on previously unused ports. Additionally, if an attacker is using a
perimeter web server to tunnel traffic into a network, connections would be made from a perimeter device to an internal
node. If administrators know which nodes on their network are acting as web servers, then network analysis can reveal
these types of unexpected flows. A variety of tools including vulnerability scanners (e.g., Nessus
®4
), intrusion detection
systems (e.g., Snort
®
), and network security monitors (e.g., Zeek™
5
[formerly “Bro”]) can reveal the presence of
unauthorized web servers in a network. Maintaining a thorough and accurate depiction of expected network activity can
enhance defenses against many types of attack. The Snort
®
rule in
Appendix E
and maintained at
https://github.com/nsacyber/Mitigating-Web-Shells
can be tailored for a specific network to identify unexpected network
flows.
Endpoint Detection and Response (EDR) Capabilities
Some EDR and enhanced host logging solutions may be able to detect web shells based on system call or process
lineage abnormalities. These security products monitor each process on the endpoint including invoked system calls. Web
shells usually cause the web server process to exhibit unusual behavior. For instance, it is uncommon for most benign
web servers to launch the ipconfig utility, but this is a common reconnaissance technique enabled by web shells. EDRs
have different automated capabilities and querying interfaces, so organizations are encouraged to review documentation
or discuss web shell detection with the vendor.
Appendix F
illustrates how Sysmon’s enhanced process logging data can
1
“Referer” is an HTTP header specified in Internet Engineering Task Force RFC 7231
2
Splunk is a registered trademark of Splunk, Inc.
3
Snort is a registered trademark of Cisco Technologies, Inc.
4
Nessus is a registered trademark of Tenable Network Security, Inc.
5
Zeek is a trademark of the Zeek Project