This blog post is a follow on from the following two blog posts:
- https://community.rsa.com/community/products/netwitness/blog/2019/02/12/web-shells-and-netwitness
- https://community.rsa.com/community/products/netwitness/blog/2019/02/13/web-shells-and-netwitness-part-2
The Attack
The attacker is not happy with executing commands via the Web Shell, so she decides to upload a new Web Shell called, reGeorg (https://sensepost.com/discover/tools/reGeorg/). This Web Shell allows the attacker to tunnel other protocols over HTTP, therefore allowing the attacker to RDP for example, directly onto the Web Server, even though RDP isn’t directly allowed from the internet.
The attacker can upload the Web Shell via one of the previously utilized Web Shells:
The attacker can now check the upload was successful by navigating to the uploaded JSP page. If all is okay, the Web Shell return the message shown in the below screenshot:
The attacker can now connect to the reGeorg Web Shell:
This means the attacker now has remote access to anything accessible from the Web Server where the Web Shell is located. This means the attacker could choose to RDP to a previously identified machine for example:
Attackers also like to keep other access methods to endpoints, one way of doing this is to setup an accessibility backdoor. This involves the attacker altering a registry key to load CMD when another application executes, in this case sethc.exe – this is an accessibility feature you typically see when pressing the SHIFT key five times. This now means that anyone who can RDP to that machine, can receive a system level command prompt with no credentials required; this is because sethc.exe can be invoked at the login screen by pressing the SHIFT key five times, and with the registry key altered, will spawn CMD as well.
To set this up, the attacker can use the Web Shell, and perform this over WMI using REG ADD:
Now the attacker can RDP back to the host they just setup the accessibility backdoor on, press the SHIFT key five times to initiate sethc.exe, and will be given the command prompt as system without having to use credentials:
The Analysis in RSA NetWitness
The analyst, while perusing Behaviors of Compromise, observes some suspicious indicators, runs wmi command-line tool, creates remote process using wmi command-line tool, and http daemon runs command shell just to name a few:
Drilling into the WMI related metadata, it is possible to see the WMI lateral movement that was used to setup the accessibility backdoor from the Web Shell:
The analyst also observes some interesting hits under the Indicators of Compromise meta key, enables login bypass and configures image hijacking:
Drilling into these sessions, we can see it is related to the WMI lateral movement performed, but this event being from the endpoint the backdoor was setup on:
The analyst, further perusing the metadata, drills into the Behavior of Compromise metadata, gets current username, and can see the sticky key backdoor being used (represented by the sethc.exe 211) to execute whoami:
The analyst, also perusing HTTP network traffic, observed HTTP headers that they typically do not see, x-cmd, x-target, and x-port:
Drilling into the RAW sessions for these suspicious headers, it is possible to see the command sent to the Web Shell to initiate the RDP connection:
Further perusing the HTTP traffic toward tunnel.jsp, we can see the RDP traffic being tunnelled over HTTP requests. The reason this shows as HTTP and not RDP, is that the RDP traffic is being tunnelled over HTTP, there are therefore more characteristics which define this as HTTP, compared to RDP:
Conclusion
Attackers will leverage a diverse range of tools and techniques to ensure they keep access to the environment they are interested in. The tools and techniques used here are freely available online and are often seen utilized by advanced attackers; performing proactive threat hunting will ensure that these types of events do not go unnoticed within your environment.
