Investigating A Web Shell Intrusion With Managed XDR

Jan. 15, 2025, 2:18 p.m.

Description

This analysis details a web shell intrusion incident where attackers exploited an IIS worker to exfiltrate data. The attacker uploaded a web shell, created a new account for persistence, modified an existing user's password, and used encoded PowerShell commands to establish a reverse TCP shell for command-and-control. The incident was detected by endpoint sensors, triggering an investigation. Multiple payloads were discovered in C:\Users\Public. The attacker performed discovery commands, archived the web server's working directory, and exfiltrated data via GET requests. Additional tools, including AnyDesk, were installed for remote access. The analysis includes technical details of the web shells and recommendations for preventing similar attacks.

External References

https://www.trendmicro.com/en_us/research/25/a/investigating-a-web-shell-intrusion-with-trend-micro--managed-xd.html
https://otx.alienvault.com/pulse/6787778ad7b51b66d9843525
Tags
powershell
anydesk
privilege escalation
data exfiltration
web shell
command-and-control
2025-01-15
reverse tcp shell
iis worker

Date

  • Created: Jan. 15, 2025, 8:53 a.m.
  • Published: Jan. 15, 2025, 8:53 a.m.
  • Modified: Jan. 15, 2025, 2:18 p.m.

Attack Patterns

  • T1078.001
  • T1078.002
  • T1505.003
  • T1021.001
  • T1059.001
  • T1087
  • T1071.001
  • T1070.004
  • T1005
  • T1082
  • T1057
  • T1105
  • T1083
  • T1036
  • T1560