Webshell Reconnaissance Command Detection
This brief describes detection of common reconnaissance commands executed through webshells on Windows systems, enabling defenders to identify post-exploitation discovery activities.
This brief details a detection strategy for identifying post-exploitation reconnaissance activities performed via webshells on Windows servers. Attackers frequently deploy webshells on compromised web servers to maintain access and execute commands remotely. Following initial compromise, they typically employ various command-line utilities and scripting tools to gain a deeper understanding of the compromised system and network environment. This includes using tools like net.exe, wmic.exe, ipconfig.exe, whoami.exe, schtasks.exe, systeminfo.exe, and PowerShell with encoded commands. The detection focuses on processes spawned by common web server applications (e.g., IIS w3wp.exe, PHP-CGI, NGINX, Apache httpd, Tomcat Java processes) that then execute these suspicious discovery commands. Identifying such activity is crucial for early detection of an attacker's presence and preventing further compromise, lateral movement, or data exfiltration.
Attack Chain
- Initial Access & Webshell Deployment: An attacker exploits a vulnerability in a public-facing web application (e.g., CVE-2024-1234) to gain initial access and deploy a webshell (e.g., China Chopper, Bumblebee) onto the web server.
- Webshell Activation: The attacker interacts with the deployed webshell, causing the legitimate web server process (e.g.,
w3wp.exe,php-cgi.exe,java.exefor Tomcat) to spawn a command-line interpreter (e.g.,cmd.exe,powershell.exe). - System Information Discovery: The attacker executes commands like
systeminfo.exeorwmic.exe(wmic.exe os get caption /value) to gather details about the operating system, hardware, and installed software, mapping the system's configuration. - Network Configuration Discovery: Commands such as
ipconfig.exe,netstat.exe,nslookup.exe,ping.exe,Test-NetConnection, ortracert.exeare used to enumerate network interfaces, active connections, DNS information, and network connectivity to map the internal network segment. - Account and User Discovery: The attacker employs
whoami.exe,net user,net group,quser.exe, ordsquery.exeto identify local and domain user accounts, groups, and logged-on users, seeking targets for privilege escalation or lateral movement. - Process and Task Discovery:
tasklist.exeandschtasks.exeare executed to list running processes, services, and scheduled tasks, identifying potential running security software, interesting applications, or existing persistence mechanisms. - File and Directory Discovery: The attacker uses
find.exe,findstr.exe, ordir \\(e.g.,dir \\<IP>\C$) to search for sensitive files, configurations, or to explore remote shares for data or further access. - Further Exploitation & Lateral Movement: Based on the gathered reconnaissance, the attacker proceeds with privilege escalation, establishes additional persistence, moves laterally within the network, or prepares for data exfiltration.
Impact
Successful execution of reconnaissance commands via a webshell indicates a significant compromise, potentially leading to immediate or future severe consequences. The attacker has established a persistent foothold, enabling them to map the network infrastructure, identify valuable assets, locate sensitive data, and enumerate user accounts. This intelligence gathering is a critical precursor to privilege escalation, lateral movement to other systems, data exfiltration, or the deployment of additional malicious payloads such as ransomware. Organizations could face severe data breaches, service disruption, reputational damage, and significant financial losses if these post-exploitation activities are not detected and remediated promptly. The presence of a webshell on a public-facing server poses an ongoing risk until completely eradicated.
Recommendation
- Deploy the provided Sigma rule to your SIEM and tune for your environment to detect webshell reconnaissance activities.
- Ensure comprehensive
process_creationlogging (e.g., Sysmon Event ID 1) is enabled on all Windows web servers to capture the necessary command-line arguments and parent-child process relationships for the rule. - Regularly review logs for processes spawned by web server applications that execute unusual or discovery-related commands.
- Patch known vulnerabilities in web server software immediately to prevent webshell deployment.
Detection coverage 1
Webshell Detection With Command Line Keywords
highDetects suspicious command-line parameters and binary executions often used during reconnaissance activity via webshells, spawned by common web server processes.
Detection queries are available on the platform. Get full rules →