An event is generated when the UMV WSS agent detects a web shell on a server.

Query

Detects WSS alerts where the classification is 의심패턴탐지 (suspicious pattern detection).

| search category == "의심패턴탐지"

Message

• Web shell detected: $host_ip ($signature)

Output Field Order

• _log_time, host_ip, agent_name, signature, raw_data, file_path, is_known_webshell, match_line, pattern_offset, pattern_size

Threat Analysis

• If a web shell is installed on a web server, an attacker can continuously issue arbitrary control commands through the web shell.

False Positive

• UMV WSS may falsely detect legitimate files as web shell files.

Response Actions

• Since UMV WSS web shell detection logs do not identify the entity that uploaded the web shell, correlate with UMV WSS upload logs or web logs to investigate the client IP that uploaded or accessed the web shell.
• Block the source IP that uploaded or accessed the web shell at the firewall to prevent further malicious command execution.
• Remove the web shell file from the server and investigate and remove any additional files installed through the web shell.
• Review firewall logs to identify any attempts by the affected web server to access the internal network, and investigate whether the incident led to internal intrusion.
• Identify and patch the vulnerability that allowed the web shell to be uploaded.

MITRE ATT&CK

• Tactic
  • Persistence
• Technique
  • Name: Server Software Components: Web Shell
  • ID: T1505.003
  • Reference URL: https://attack.mitre.org/techniques/T1505/003/