Threat Watch

NSA Releases 17-Page Document on Web Shell Detection and Mitigation

Web shells are malicious files uploaded to compromised web servers to perform attacker-specified actions such as downloading files on the server, providing directory listings or making files on the server available for download for the attacker. On April 22nd, the NSA tweeted out a link to a 17-page document on detecting and preventing web shells. Because web shells are often deployed as scripts using a language such as PHP, they can be difficult to detect due to the ease of obfuscation and ability to change the script each time it is deployed. To help organizations put the document into practice, the NSA has a GitHub repository dedicated to web shell detection and mitigation as well.

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch

ANALYST NOTES

Binary Defense highly recommends following the advice being given by the NSA to protect web servers. Both the PDF and the GitHub repository offer several ways of detecting web shells. While the GitHub repository is geared more towards the detection side, the PDF document is separated into categories for detection, prevention and mitigation. For a non-exhaustive list of recent and frequently exploited applications and CVEs used to install web shells, check out Appendix H in the PDF document.

Source: https://twitter.com/NSAGov/status/1252945913980608512

https://media.defense.gov/2020/Apr/22/2002285959/-1/-1/0/DETECT%20AND%20PREVENT%20WEB%20SHELL%20MALWARE.PDF

https://github.com/nsacyber/Mitigating-Web-Shells

Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support