Webshell series (5)-Analysis of webshell's "visibility" capability

Webshell series (5)-Analysis of webshell's "visibility" capability

1. Typical attack sequence diagram of webshell
It is a typical webshell attack sequence diagram. It uses web vulnerabilities to obtain web permissions, upload pony, install Trojan, remotely call webshell, and execute various commands, to obtain data and other malicious purposes.

2. Analyze the "visibility" capability of each stage from the kill chain
From the perspective of kill chain, it is difficult to see behavior in the first two stages of Reconnaissance and Weaponise by collecting the system's own traffic technical means. (Combined with threat intelligence, we can see the information of these two stages in a wider range). Traffic-based payload analysis technology can be used in Delivery, Exploit, Installation, Command & Control (C2) and Action.

A piece of Rsa analysis material provides a convenient description of the visibility capability. The traffic-based analysis method is compared with the traditional IDS \ IPS \ SIEM.

3. From the perspective of protection capabilities
Security protection capabilities are classified into several levels

Detect: Can you see/find it? (Whether the attack can be detected)
Deny: Can you stop it from happening? (Can we avoid attacks)
Disrupt: Can you stop it while it's happening? (Can we block ongoing attacks)
Degrade: Can you make it not worth it? (Can attackers feel the attack is not worthwhile and reduce the attack level)
Deceive: Can you trick them [the adversary]? (Can it Trick or redirect attacks)
Destroy: Can you blow it up? (Whether attackers can be destroyed)
Summary of web security protection capabilities:
Phase
Detec
Deny
Disrupt
Degrade
Deceive
Destroy
Web-related protection measures
Webshell analysis engine NIDS
WAF cloud Protection
WAF
Active Defense/traffic redirection
Honeypot
Anti-Attacker
4. Three Methods for Webshell Detection
From the perspective of security protection capabilities, detection is the top priority. webshell detection mainly includes the following methods:
(1) Traffic-based webshell detection engine
Easy to deploy and analyze original information through traffic images.
Payload-based behavior analysis not only detects known webshells, but also identifies unknown and pseudowebshells.
Perform Association Analysis on webshell access features (IP/UA/Cookie), payload features, path features, and time features, and use time as an index to restore attack events.
(2) file-based webshell analysis engine
Checks whether webshell features are included, such as common functions.
Checks whether encryption (obfuscation processing) is used to determine whether it is a webshell.
File hash detection, create a webshell sample hashing library, and compare and analyze Suspicious files.
Checks the file creation time, modification time, and file permission to check whether the file is a webshell.
Sandbox technology, which can be determined based on the behavior characteristics of the Dynamic Language sandbox runtime.
(3) log-based webshell analysis engine
Supports common log formats.
The website access behavior is modeled to effectively identify webshell uploads and other behaviors.
Perform a comprehensive analysis of logs to trace the entire attack process.
The three detection methods are file-based detection. In many cases, the deployment cost of obtaining samples is relatively high, and the entire attack process cannot be seen only by samples. Some log-based behavior information is not visible in the log. In general, the "traffic"-based information is the most visible, and the entire attack process can be fully restored.
In the future, I will focus on the whole attack process of some recently analyzed webshells and summarize some typical examples.