{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/aspx/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SharePoint"],"_cs_severities":["medium"],"_cs_tags":["web-shell","aspx","persistence","windows"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies the creation of ASPX files in specific directories commonly targeted by attackers to deploy web shells on Windows systems. The rule focuses on files created in the \u0026quot;?:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*\u0026quot; directory, a common location for web server extensions. It excludes the legitimate \u0026quot;msiexec.exe\u0026quot; process to reduce false positives. The rule helps defenders identify potential web shell activity used for persistence and remote command execution by malicious actors attempting to compromise web servers. The detection logic relies on file creation events, making it compatible with various endpoint detection and response (EDR) and security information and event management (SIEM) solutions, including Elastic Endgame, Sysmon, SentinelOne, Microsoft Defender XDR, and Crowdstrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the web server, potentially through exploiting a vulnerability in a web application or a misconfiguration.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their initial access to write a malicious ASPX file to a directory within the web server's file system. The target directory is typically within \u0026quot;?:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*\u0026quot;.\u003c/li\u003e\n\u003cli\u003eThe ASPX file contains malicious code designed to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a web browser or other HTTP client to send a request to the newly created ASPX file.\u003c/li\u003e\n\u003cli\u003eThe web server executes the ASPX file in response to the HTTP request.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the ASPX file executes commands specified by the attacker, allowing them to perform actions such as enumerating system information, creating new user accounts, or deploying additional malware.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell for persistence, maintaining access to the compromised server even after the initial vulnerability is patched.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised server as a beachhead for further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete compromise of the web server, allowing the attacker to execute arbitrary commands, steal sensitive data, or use the server as a launchpad for further attacks within the network. The creation of web shells is a common persistence technique, allowing attackers to maintain access even after the initial vulnerability is patched. This can lead to prolonged data breaches and significant damage to the organization's reputation and operations. The use of web shells often allows for privilege escalation and lateral movement within the compromised network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Web Shell ASPX File Creation\u0026quot; to your SIEM and tune for your environment, focusing on the specified file paths and process exclusions to reduce false positives.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring (FIM) on web server directories, specifically \u0026quot;?:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*\u0026quot;, to detect unauthorized file creation or modification.\u003c/li\u003e\n\u003cli\u003eReview and harden web server configurations to prevent unauthorized file uploads and remote code execution.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u0026quot;Web Shell ASPX File Creation\u0026quot; by examining the involved processes, file contents, and network connections.\u003c/li\u003e\n\u003cli\u003eUse the provided references to understand the ToolShell vulnerability and similar SharePoint compromise scenarios.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T14:00:00Z","date_published":"2024-11-02T14:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-11-potential-web-shell-aspx-creation/","summary":"This rule identifies the creation of ASPX files in web server directories, commonly targeted by attackers to deploy web shells for persistence, by monitoring file creation events and excluding known legitimate processes.","title":"Potential Web Shell ASPX File Creation","url":"https://feed.craftedsignal.io/briefs/2024-11-potential-web-shell-aspx-creation/"}],"language":"en","title":"CraftedSignal Threat Feed - Aspx","version":"https://jsonfeed.org/version/1.1"}