Hello people, welcome back to another write-up on a new SOC case on the Let’s Defend platform! In today’s case we investigate a potentially malicous file upload attempt to our git server. If you missed my last Let’s Defend write-up, you can find it here.
On Feb. 22 a file named „phpshell.php“ (alarm bells ringing) was uploaded to our host „gitServer“. The action was allowed, but the alarm was triggered. Thankfully we got the file hash and the file itself to investigate.
I searched for the term „phpshell“ and immediately found two log entries. The time stamps are one and two minutes after the SOC rule triggered the alarm.
Well, these two log entries look like a php reverse shell, where the command is handed via the „cmd“-parameter in the GET-request. The attackers first checked on which user account the reverse shell was executed and in the second picture they tried to read the /etc/password-file containing user names, user ids and sometimes (in older linux versions) even the user password hashes. Both actions were allowed by the firewall.
Searching for the hash on virustotal.com shows a very clear picture of the maliciousness of that given file. 23 out of 58 vendors listed this file as „malicious“ and most of them specify the file as „backdoor“/“webshell“. To confirm these results, let’s take a look at the file itself:
Okay, this is indeed a very simple webshell. The attackers did not even try to hide the bad intents of that file by obfuscating the content. That is fairly enough information for me, so we move on to the playbook now.
Well, for this decision I chose „Unknown or unexpected outgoing internet traffic“, but I think the option „other“ would have been fine, too. As the attackers tried to access the content of the /etc/passwd-File there might be some „unexpected“ outgoing traffic in my opinion.
Since the file has not been removed / cleaned yet, we click „not quarantined“.
We previously found out, that this .php-file is malicious so we choose „malicious“ here. The C2 address controlling the webshell is 188.8.131.52:
Please forgive me: I forgot to save the screenshot from the following playbook question: Was the C2 address accessed?
As we can see from the screenshot above, the IP was accessed before the incident. Unfortunately I misclicked to „not accessed“. :-/
After filling in the artifacts we found, we need to leave a note for our co-workers or anybody else reviewing these cases to give an overview about our investigation.
Closing the alert
Now we can close the alert choosing true positive and filling out the neccessary information.
We finished this case successfully. I missed out the five points for misclicking, but it is fine for me. I hope you guys enjoyed this investigation as much as I did. See you soon on another investigation here on my blog.