I barely remember a security incident, that I worked on, where the adversary didn’t use web shells here or there. Web shells are effective, publicly available, and sort of hard to discover — they say.
In this piece, I will try to address the discovery challenge by sharing ideas and techniques for web shells hunting and ultimately turn the web shell from a capability to a liability for the adversary.
Real story: a target received a tip-off from external party about a potential compromise. The target started an investigation, identified suspected patient zero and removed it from the network. Later, they discovered a backdoor on a server and removed it. Later, a system admin logged in to one server and found the adversary active on it. Whack-a-mole game that continued for quite some time.
Hasty, incomplete and unmeasured actions often fail in response to “targeted” intrusions from “adaptive” threat actors.
Targeted intrusion from adaptive threat actor is a methodical and organized work which is carried (for most of the intrusion…
In Windows OS, the system resources (e.g. processes, files, devices) that need to be named, shared, protected, or exposed to user mode, are managed by the OS as objects. User applications can’t access these objects/resources directly but through the Object Manager (Ob), the subsystem that manages the access to the system objects/resources. Windows 10 (build 16299), for example, has 64 different object types.
Windows object is a memory data structure that represents a system resource and it has two parts: