This blog details a web shell intrusion incident where attackers exploited the IIS worker to steal data. The attackers uploaded a web shell, created a reverse TCP shell, and exfiltrated data using various techniques. Affected: IIS worker (w3wp.exe)
Keypoints :
- Attackers abused the IIS worker to upload a web shell.
- Initial access was achieved through unrestricted file uploads.
- Encoded PowerShell commands were used to create a reverse TCP shell.
- Multiple payloads were downloaded to the server after establishing command-and-control.
- Data exfiltration occurred via GET requests to the IIS server.
- Recommendations include validating input, restricting file uploads, and installing security agents.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: The attacker used HTTP to exfiltrate data via GET requests.
- T1043 – Commonly Used Port: The reverse TCP shell connected to a command-and-control server on port 443.
- T1059.001 – Command and Scripting Interpreter: PowerShell was utilized for command execution.
- T1070.001 – Indicator Removal on Host: The attacker deleted the zip file after exfiltration to cover tracks.
- T1078 – Valid Accounts: The attacker created a new account for persistence.
Indicator of Compromise :
- [ip address] 86.48.10[.]109
- [url] http://54.255.198[.]171/0x02.exe
- [url] http://54.255.198[.]171/rev.bat
- [url] http://54.255.198[.]171/AnyDesk.exe
- [url] http://54.255.198[.]171/ngrok.exe
- Check the article for all found IoCs.
Full Research: https://www.trendmicro.com/en_us/research/25/a/investigating-a-web-shell-intrusion-with-trend-micro–managed-xd.html