Webshell Security Detection (3)-Discover "unknown webshells" based on Behavior Analysis"

Webshell Security Detection (3)-Discover "unknown webshells" based on Behavior Analysis"
1. "known" or "unknown"

Known, known, unknown, and unknown, the security industry has talked a lot recently. Currently, the hot "threat intelligence" in the circle should actually be "known unknown ", it is an unknown threat to the local device. It is actually a threat that has already occurred elsewhere. What should we do with the true "unknown"? Although the probability of occurrence of the first threat on us is very small, however, at present, many attacks steal administrator identities or legitimate user identities to perform some seemingly legal operations. These internal "exceptions"
"Behavior, no external" threat intelligence "and other data can be compared.

Encryption will gradually become the norm of network traffic, and security threat detection based on "protocol exceptions or behavior exceptions" will become an important means of interpreting security threats in content scenarios. Detects threats based on content detection and behavior detection. Exceptions are not necessarily threats, but generally they must first be exceptions. It also expresses the importance of abnormal behavior analysis based on the whitelist.

One feature of the current security attack and defense is that there will be more and more unknown attacks, and the attack tool you are facing may have never been used (or you have never seen the monitoring field of view ), there are more webshell samples in your hands. Attackers can always create a webshell with more lightweight functions. How can they discover unknown webshells? How can we achieve the wide recovery of Skynet without leaking?

2. Traffic-based Webshell behavior detection

After webshell is run, B/S data is interacted through HTTP, and clues can be found in HTTP requests/responses. This is a dynamic feature detection. We have previously mentioned that webshell communication is an HTTP protocol. Payload-based behavior analysis not only detects known webshells, but also identifies unknown and pseudowebshells.

(1) Conduct Association Analysis on webshell access features (IP/UA/Cookie), payload features, path features, and time features, and use time as the index to restore attack events.

(2) exception-based HTTP requests

Webshell always has an HTTP request. If HTTP requests are monitored at the network layer (Apache/IIS logs are not monitored ), one day, a new PHP file request or a file that is usually a GET request suddenly has a POST request and returns 200. This is a problem.

(3) combined with threat intelligence, conduct in-depth analysis on the source and author of webshell to fully picture who? When? How? Why? (For what purpose? Competitors or malicious attackers) how? (Attack methods)

3. Behavior Characteristics Analysis Based on Sandbox Technology

We know that middleware needs to be started by a system account, and all WEB script files use middleware to complete corresponding actions, by monitoring system processes and SQL queries used by middleware, You Can preliminarily determine the existence and running of webshells on the website. Then, the specific script file for the final launch operation can be determined through the middleware to achieve the final detection and Webshell discovery.

In this section, I have a limited understanding. I will simply list several methods to discover specific webshells.

(1) database-level detection: Generally, all database operations on a normal website are performed through a unified API, if a script file tries to operate the database in another way, you can trace the specific file;

(2) middleware-level detection: Through the customization of third-party plug-ins and the integration of middleware, you can detect the script files that initiate the operation;

(3) system-level behavior detection: If webshell is used up to execute system commands, there will be processes. For example, in Linux, the nobody User starts bash, and in windows, the IIS User starts cmd. These are dynamic features.

Introduction:

Based on the traffic, through the analysis of payload to find webshell attack behavior, the author will analyze the actual environment, and summarize the original data table and the analysis process and results.