Potential Web Shell ASPX File Creation

Attackers frequently deploy web shells to maintain persistence and execute arbitrary commands on compromised web servers. This rule identifies the creation of ASPX files, commonly used in Windows environments, within directories typically targeted for web shell deployment. The rule focuses on the “?:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\*” path, a common location for web server extensions and potential web shell placements. By excluding legitimate processes such as msiexec.exe and psconfigui.exe, the rule aims to detect suspicious ASPX file creation events indicative of malicious activity. The detection logic helps defenders identify potential web shell installations, allowing for timely response and remediation to prevent further compromise. This activity has been observed in exploitation attempts targeting SharePoint servers.

Attack Chain

1. An attacker gains initial access to the target system, potentially through exploiting a vulnerability in a web application or service running on the server (e.g., SharePoint).
2. The attacker leverages the compromised web application to upload a malicious ASPX file to a directory within the web server’s file system, specifically targeting locations like “?:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\*”.
3. The uploaded ASPX file contains malicious code designed to provide the attacker with remote access and control over the server.
4. The attacker triggers the execution of the ASPX file by sending a request to the web server, which processes the ASPX file and executes the embedded malicious code.
5. The web shell allows the attacker to execute arbitrary commands on the server, potentially escalating privileges and moving laterally within the network.
6. The attacker uses the web shell to establish persistence on the compromised server, ensuring continued access even after the initial vulnerability is patched.
7. The attacker may use the web shell to exfiltrate sensitive data from the server or to deploy additional malware and tools.

Impact

A successful web shell deployment can lead to complete compromise of the affected server, potentially impacting numerous organizations. Attackers can use web shells to execute arbitrary code, steal sensitive data, and establish persistent access to internal networks. The impact includes data breaches, financial losses, and reputational damage. Successful exploitation of SharePoint vulnerabilities leading to web shell deployment has been observed in the wild.

Recommendation

• Deploy the Sigma rule “Web Shell ASPX File Creation in Common Directories” to detect suspicious ASPX file creation events, filtering out legitimate processes to reduce false positives.
• Enable Sysmon Event ID 11 (File Create) to capture file creation events on Windows systems, which is a data source for the Sigma rule.
• Investigate any alerts generated by the Sigma rule “Web Shell ASPX File Creation in Common Directories” by examining the file path, creating process, and network activity around the time of the event.
• Monitor web server logs for suspicious requests targeting ASPX files in common web server directories, as referenced in the rule description.