Hunting Web Shells Part 2

Lab 5

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Web Shells Part 2 1

 SCENARIO
Your manager, Tony, wants to ensure that you can even catch web shells that might not be
detected by the tools used previously, such as LOKI which can only detect PHP-based web
shells. Tony knows this and has scheduled you for a hunting exercise to locate 1 or more ASP
and/or ASPX-based shells on an IIS server.

GOALS
You will need to use other techniques mentioned in the module to detect the web shell(s).

WHAT YOU WILL LEARN

The objective of this lab is use different techniques to find hidden web shells.

RECOMMENDED TOOLS
• LOKI IOC Scanner
• Powershell
• Log Parser Studio

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Web Shells Part 2 2

 NETWORK CONFIGURATION
Organization: FooCompany

• Web Server:
o IP: 172.16.151.150
o RDP Credentials: ELS\elsstudent:Guest#2014#

TASKS
TASK 1. RUN LOKI IOC SCANNER TO FIND ANY WEB
SHELL(S).
Run LOKI, located in hunting\tools directory, against c:\inetpub\wwwroot\test to locate
any suspicious files.

TASK 2. USE POWERSHELL TO DETECT ANY FILE

CHANGES USING FILE STACKING ANALYSIS
TECHNIQUES.
• Use the Get-FullPathFileStacking.ps1 file, in the hunting\scripts directory, to find
any out of the ordinary folders and/or files residing in abnormal locations within the
test directory. The folder you should check is c:\inetpub\wwwroot\.
• Use the Get-TimeDiffFileStacking.ps1 file, in the hunting\scripts directory, to find
any new files added to the test directory. The folder you should check is
c:\inetpub\wwwroot\test and the date/time to check against is “7/12/2017
9:00am”.

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Web Shells Part 2 3

 TASK 3. USE POWERSHELL TO DETECT ANY FILE
CHANGES USING BASELINE APPROACH.
Create MD5 hash list of all the files residing in c:\inetput\wwwroot\test and compare to
the baseline file using the Compare-FileHashesList.ps1 PowerShell script in the
hunting\scripts directory. The baseline file is located in c:\inetpub called Baseline-
Test.csv.

TASK 4. USE LOG PARSER STUDIO TO PERFORM

STATISTICAL WEB LOG ANALYSIS.
Use Log Parser Studio to detect any visits to the newly created file(s) within the test
directory, c:\inetpub\wwwroot\test.

• Can you detect what parameter is visible within the log to alert us of an action taken?
• Note: You need to use the W3SVC2 logs.

TASK 5. LOCATE THE SUSPICIOUS FILES IN THE 2ND WEB

DIRECTORY.
Using any of the previous tools and/or techniques attempt to locate the hidden web shell we
just located within c:\inetpub\wwwroot\test (system_web.aspx) and/or any other shells
within the 2nd web directory, c:\inetpub\wwwroot\cms.

Note: The CMS folder has 1,766 files.

Note: If you’re using the Get-TimeDiffFileStacking.ps1 PowerShell script, use the following
date/time as the 2nd parameter: “4/5/2016 11:33am”.

If you’re going to use Log Parser Studio, you need to use the W3SVC3 logs.

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Web Shells Part 2 4

SOLUTIONS

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Web Shells Part 2 5

 TASK 1. RUN LOKI IOC SCANNER TO FIND ANY WEB
SHELL(S).
1. Open CMD and navigate to the loki_0.22.0 directory in the hunting folder, under tools,
residing in the C:\ drive
2. Run loki.exe and scan the test directory within inetpub\wwwroot.

C:\hunting\tools\loki_0.22.0>loki.exe -p c:\inetput\wwwroot\test

You should have informed from the tool that the system appears to be clean.

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Web Shells Part 2 6

 TASK 2. USE POWERSHELL TO DETECT ANY FILE
CHANGES USING FILE STACKING ANALYSIS
TECHNIQUES.
Let’s perform some file stacking analysis to see if the scripts can aid us in our hunt for
hidden shells. Open PowerShell from shortcut on taskbar.

3. Within PowerShell navigate to c:\hunting\scripts and run Get-

FullPathFileStacking.ps1 against c:\inetpub\wwwroot\test.

PS C:\hunting\scripts> .\Get-FullPathFileStacking.ps1 c:\inetpub\wwwroot\test

4. We are presented with a grid view of the output. Can we locate the suspicious file simply
based on this output?

This is a small number of files, 144. Imagine if we had folder structures with thousands
of files. We can sift through this manually or with a script. Let’s try file stacking based on
creation date/times.

5. Since we’re already in the hunting\tools directory, run Get-TimeDiffFileStacking.ps1

and pass the path we want to check including the date/time to check against.

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Web Shells Part 2 7

PS C:\hunting\scripts> .\Get-TimeDiffFileStacking.ps1 c:\inetpub\wwwroot\test
“7/12/2017 9:00am”

Below is our output:

This output is showing us all the new files in the file structure newer than 7/12/2017
9:00am. The only file is system_web.aspx.

TASK 3. USE POWERSHELL TO DETECT ANY FILE

CHANGES USING BASELINE APPROACH.
Let’s try to find the same file but this time using a baseline to aid us in our hunt.

6. We need to get a current listing of the MD5 hashes for c:\inetpub\wwwroot\test. This
can be accomplished using the following cmdlets: Get-ChildItem, Get-FileHash, and
Export-CSV.

PS C:\hunting\scripts> Get-ChildItem -path c:\inetpub\wwwroot\test -file

-recurse | Get-FileHash -Algorithm MD5 | Export-CSV c:\inetpub\MD5-Test.csv

7. We need to check if the file was successfully created.

PS C:\hunting\scripts> Get-ChildItem -path c:\inetpub\MD5-Test.csv

8. Run Compare-FileHashesList.ps1 and use the baseline file to compare it with the file we
just created.

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Web Shells Part 2 8

PS C:\hunting\scripts> .\Compare-FileHashesList.ps1 -ReferenceFile
C:\inetpub\Baseline-Test.csv -DifferenceFile C:\inetpub\MD5-Test.csv

Below is the output:

PS C:\hunting\scripts> .\Compare-FileHashesList.ps1 -ReferenceFile

C:\inetpub\Baseline-Test.csv -DifferenceFile C:\inetpub\MD5-Test.csv |
Format-Table -AutoSize

PS C:\hunting\scripts> .\Compare-FileHashesList.ps1 -ReferenceFile

C:\inetpub\Baseline-Test.csv -DifferenceFile C:\inetpub\MD5-Test.csv
-SummaryOnly

Using baselines throughout your enterprise is a great process to have but rarely
implemented unfortunately. We see with this approach we can quickly find our anomalous
file and from this point use other methods to get more information about this file.

TASK 4. USE LOG PARSER STUDIO TO PERFORM

STATISTICAL WEB LOG ANALYSIS.
Now we can manually inspect this file to view its contents but what is more important is to
check if this file has been accessed at all. We can check this with Log Parser Studio.

9. Navigate via Windows Explorer to hunting\tools\LPSV2.D2\LPSV2.D1 and open LPS.

Select IIS: Top 20 URIs from the Library by double clicking it and execute the query via
the exclamation point at the top left.

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Web Shells Part 2 9

Below is the output:

This confirms that the file was accessed 2 times. Note, you can always adjust the query to
add minimum time or other fields by adding MIN(time-taken) AS MinTime. How can we
detect what parameter is visible within the log to alert us of an action taken? We can alter
the current query and add the cs-uri-query field to the query.

10. Copy the query.

Select Top 20 cs-uri-stem, count(*) as Total, MAX(time-taken) as MaxTime,

AVG(time-taken) as AvgTime
From ‘[LOGFILEPATH]’
Group By cs-uri-stem
Order by Total DESC

11. Select Create New Query at the top left.

12. Paste the query and add the cs-uri-query field.

13. Before we can execute our custom query, we need to make some adjustments:

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Web Shells Part 2 10

 a. Add our new field to the Group by clause.
b. Select the log type, which will be IISW3CLOG. After doing so, execute the
query.

Below is the output:

So, we know that this file, which is foreign to the original file structure, performed an
upload operation. Note, you don’t need to look for the file because it’s not within the folder
structure.

Let’s see if we get anything by querying the logs to get total page hits with HTTP 200 by
extension.

14. Select Create New Query at the top left.

15. Enter the query below:

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Web Shells Part 2 11

Select cs-uri-stem, TO_UPPERCASE(EXTRACT_EXTENSION(cs-uri-stem)) as
Extension, Count(*) as [Total Hits]
From ‘[LOGFILEPATH]’
Where Extension like ‘%asp%’ and sc-status=200
Group by cs-uri-stem, Extension
Order by [Total Hits] Desc

No results were returned. Maybe this query will produce fruitful results in the next task.

TASK 5. LOCATE THE SUSPICIOUS FILES IN THE 2ND WEB

DIRECTORY.
For the last task, there are diverse ways to accomplish the task. If you competed the lab
using the tools and techniques covered in task 1 to task 4 that is fine. Ideally you would
create an IOC and scan the host or network to see if you get any hits. Once you find a
malicious artifact and you’re now on the hunt to look for it to see what other systems are
affected with the malicious file. IOC will aid you on your hunt.

1. Let’s inspect the file to see what we can use as indicators. We’re looking for unique
strings that can be used to identify this file in other locations.

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Web Shells Part 2 12

 2. Now we can create a YARA file with these indicators in the signature-base\yara
directory within LOKI but first let’s get the MD5 hash using PowerShell so we can
add this to our YARA file.

PS C:\Users\Administrator\Desktop\aspnet_client\4_0_33333>Get-FileHash
.\system_web.aspx -Algorithm MD5

3. Next let’s create the YARA file and name it system_web.yar.

rule system_web {
meta:
description = “system_web.aspx”
author = “ELS Threat Hunter”

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Web Shells Part 2 13

 date = “2017/07/16”
score = 70
hash = “70B920B8C288995AC58D62D65C5601A8”
strings:
$s1 = “elsfoo”
$s2 = “private string UploadFile ()”
$s3 = “File uploaded”
$s4 = “Created by Mark Woan”
condition:
2 of them
}

In the above YARA file we are stating if LOKI makes 2 hits then flag the file.

4. Run LOKI against the current location of the malicious file we already found to test
our newly added YARA signature.

The IOC is working as expected. Now we can run LOKI against the CMS directory to see if
we get any hits.

5. Run LOKI against c:\inetpub\wwwroot\cms to locate system_web.aspx.

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Web Shells Part 2 14

We got a hit on all 4 strings in our YARA file. The system_web.aspx file is in the CMS
directory but it is called minion.aspx and it is within \cms\CMSCore\SiteContent\Mock
directory.

We got 2 hits on a file called sqlfoo.aspx. LOKI found matches for 2 of the 4 strings.

Lastly LOKI finds a web shell named shelly.asp, not aspx, with a score of 140. This match is
not based on our YARA rule but another rule, webshell_ASP_cmd. All these files were
located in the same directory, which would make sense since minion.aspx was the interface
which was used to upload these files onto the server.

6. Let’s see if we would have obtained the same results using the techniques from
task 1 – task 4.
a. First, we’ll look at LOKI (our custom YARA file is not part of this scan)

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Web Shells Part 2 15

This alert would lead us to the folder where the other suspicious files are located but LOKI
itself will not alert us of the other files.

b. Let’s look at file stacking using creation times.

PS C:\hunting\scripts> .\Get-TimeDiffFileStacking.ps1 C:\inetpub\wwwroot\cms

“4/5/2016 11:33am”

This definitely helped in identifying all 3 files, simply based on creation times, but doesn’t
quickly alert us that they’re suspicious. Immediately from this output we don’t know that
minion.aspx is system_web.aspx. We would have to investigate further.

c. Next, we’ll use the baseline to attempt to find these files.

PS C:\hunting\scripts> .\Compare-FileHashesList.ps1 -ReferenceFile

C:\inetpub\Baseline-CMS.csv -DifferenceFile C:\inetpub\MD5-CMS.csv | Format-
Table AutoSize

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Web Shells Part 2 16

 d. Lastly, we’ll use Log Parser to glance at IIS logs for this directory.
i. For this to work properly you had to add the CMS log folder.

Before:

After:

Below is the query/output #1:

Select Top 20 cs-uri-stem, cs-uri-query, count(*) as Total, MAX(time-taken)

as MaxTime, AVG(time-taken) as AvgTime

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Web Shells Part 2 17

From ‘[LOGFILEPATH]’
Group By cs-uri-stem, cs-uri-query
Order by Total DESC

The time of execution for shelly.asp is and and should raise a flag. Compared to the other
web pages the execution time is significantly higher. This is due to potential complex queries
and requests within web shells. We can see from the cs-uri-query column that the web shell
was used to ping 2 internal hosts in the network, 172.17.5.1 and 172.17.5.100.

Below is the query/output #2:

Select cs-uri-stem, TO_UPPERCASE(EXTRACT_EXTENSION(cs-uri-stem)) as

Extension, Count(*) as [Total Hits]
From ‘[LOGFILEPATH]’
Where Extension like ‘%asp%’ and sc-status=200
Group by cs-uri-stem, Extension
Order by [Total Hits] Desc

Using Log Parser Studio to conduct statistical web log analysis would have aided us in this
task as well but as you can see 1 file is not visible in the logs. Possibly because it wasn’t
accessed yet but you can see the high usage of the shelly.asp file with these techniques.

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Web Shells Part 2 18

KEY TAKEWAYS
1. Remember that LOKI is signature-based detection. Not ideal to catch unknown
malicious files but works well when we have good signatures in place.
2. When we have an artifact, we can create an IOC on, that should be the immediate
route to take to identify other areas where the malicious file may be lurking.
3. Logs are our friend, especially when we have good queries to run to pull the data we
need.
4. Don’t underestimate PowerShell. PowerShell assisted us with creating a baseline with
MD5 hashes, as well with file stack analysis. PowerShell is a valuable tool in your
hunting toolkit.
5. If you attempted to check for the w3wp.exe process running then the script would
not have produced any results because for the script to be effective it needs to be
running at the point the web shell was used to execute a command, such as IPCONFIG.

ADDITIONAL RESOURCES
1. https://github.com/tennc/webshell/blob/master/aspx/asp.net-
backdoors/fileupload.aspx
2. https://github.com/tennc/webshell/blob/master/aspx/asp.net-
backdoors/sql.aspx
3. https://gist.github.com/saveeoo/a8af827510df085f7f1c83208a898098
4. Hunting tool to aid you in catching newly spawned processes and displays parent
process via console:
a. http://udurrani.com/0fff/tl.html (plus other tools)

© 2017 Caendra Inc. | Threat Hunting v1 | Hunting Web Shells Part 2 19