Detecting Webshells with Sysmon: A Technical Analysis

Introduction: Webshells are malicious scripts or programs that attackers deploy on web servers to gain unauthorized access and control. Detecting these webshells is crucial for maintaining the security of web applications and protecting sensitive data. In this article, we will explore how Sysmon, a powerful Windows system monitoring tool, can be utilized to detect and mitigate webshell threats. We will dive into the technical details of using Sysmon, explore relevant event IDs, and provide insights on enhancing your web server security.

Understanding Sysmon: Sysmon is a lightweight, command-line utility developed by Microsoft for Windows systems. It provides advanced monitoring capabilities by collecting and logging detailed information about system activities, including process creation, network connections, file modifications, and more. Leveraging this tool's extensive event logging capabilities, we can effectively track and detect suspicious activity related to webshells.

1. Monitoring Webshell Execution (Event ID: 1): To identify webshell activities, Sysmon can be configured to monitor process creation events (Event ID: 1). By enabling the "Image" and "CommandLine" fields in Sysmon's configuration, we can capture detailed information about processes being launched on the system. Webshells are often executed through malicious scripts or processes, and monitoring process creation can help us detect their presence.
2. Tracking Network Connections (Event ID: 3): Webshells typically establish communication channels with external servers to receive commands or exfiltrate data. Sysmon allows us to log network connection events (Event ID: 3), including source and destination IP addresses, ports, and protocols. By monitoring network connections, we can identify suspicious communication patterns associated with webshells.
3. Monitoring File Modifications (Event IDs: 11, 12, 13): Webshells often modify existing files or create new files on the compromised server. Sysmon can be configured to track file modifications (Event IDs: 11, 12, 13), providing crucial insights into potential webshell activity. By monitoring file creation, modification, and deletion events, we can identify unauthorized changes made by webshells.
4. Detecting Suspicious Process Behavior (Event ID: 7): Sysmon enables us to monitor process behavior (Event ID: 7), including command-line arguments, parent-child process relationships, and DLL loads. Webshells may exhibit unusual behavior, such as executing commands with elevated privileges or injecting malicious code into legitimate processes. By analyzing Sysmon logs for abnormal process behavior, we can flag potential webshell activities.

Here's a real example of how Sysmon can be used to detect a webshell activity:

Let's say you have configured Sysmon on your web server and are monitoring Event ID 1 (Process Creation) and Event ID 3 (Network Connection). One day, you notice a suspicious process being created with a webshell-like name, "cmd.aspx".

Process Create: RuleName: - UtcTime: 2022-01-10 15:30:45.1234567 ProcessGuid: {12345678-1234-1234-1234-123456789abc} ProcessId: 1234 Image: C:\inetpub\wwwroot\cmd.aspx CommandLine: C:\Windows\System32\cmd.exe /c echo "Hello, webshell!" CurrentDirectory: C:\inetpub\wwwroot\ User: NT AUTHORITY\SYSTEM        

Upon further investigation, you find that this process establishes an outbound connection to a suspicious IP address.

Sysmon Event ID 3 log entry:

Network Connect:
    RuleName: -
    UtcTime: 2022-01-10 15:31:00.9876543
    ProcessGuid: {12345678-1234-1234-1234-123456789abc}
    ProcessId: 1234
    Image: C:\Windows\System32\cmd.exe
    User: NT AUTHORITY\SYSTEM
    Protocol: TCP
    Initiated: true
    SourceIp: 192.168.2.100
    SourcePort: 12345
    DestinationIp: 1.2.3.4
    DestinationPort: 8080        

In this example, the webshell "cmd.aspx" is created by a legitimate Windows process "cmd.exe" and executed with elevated privileges (NT AUTHORITY\SYSTEM). It establishes an outbound network connection to an unknown IP address on an unusual port (1.2.3.4:8080). These activities raise suspicion and indicate a potential webshell presence on the server.

By regularly reviewing and analyzing Sysmon logs, paying attention to relevant event IDs, and using tools like SIEM (Security Information and Event Management) solutions, you can detect and respond to webshell activities promptly, mitigating potential security risks.

Remember, this is just one example, and the characteristics of webshells can vary. It is crucial to stay updated on the latest webshell threat indicators and adjust your monitoring and detection techniques accordingly.

Conclusion: Deploying Sysmon as part of your web server security strategy can significantly enhance your capability to detect and mitigate webshell threats. By leveraging Sysmon's comprehensive event logging features and implementing proper monitoring and analysis techniques, you can proactively identify and respond to webshell attacks. Remember to regularly review and analyze Sysmon logs, paying close attention to relevant event IDs, to stay vigilant and keep your web applications secure.

Please note that while Sysmon is a powerful tool for monitoring system activities, its configuration and analysis require technical expertise. It is recommended to consult security professionals or refer to official documentation for specific implementation details suitable for your environment.

provide by me with best regards

Sina Mohebi

Find more post in my Blog