#3 - Hiding aspx webshells

IISwebshell

14 Jul

Written By Blake .

Question:

Looking at the following IIS logs, what is the likely filename of this webshell?

2022-07-13 05:21:01 192.168.48.135 GET /auth/ - 80 - 192.168.48.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/103.0.5060.114+Safari/537.36+Edg/103.0.1264.49 - 200 0 0 1
2022-07-13 05:21:03 192.168.48.135 POST /auth/ - 80 - 192.168.48.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/103.0.5060.114+Safari/537.36+Edg/103.0.1264.49 http://192.168.48.135/auth/ 200 0 0 40
2022-07-13 05:21:31 192.168.48.135 POST /auth/ - 80 - 192.168.48.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/103.0.5060.114+Safari/537.36+Edg/103.0.1264.49 http://192.168.48.135/auth/ 200 0 0 43
2022-07-13 05:22:15 192.168.48.135 POST /auth/ - 80 - 192.168.48.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/103.0.5060.114+Safari/537.36+Edg/103.0.1264.49 http://192.168.48.135/auth/ 200 0 0 42
2022-07-13 05:22:20 192.168.48.135 POST /auth/ - 80 - 192.168.48.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/103.0.5060.114+Safari/537.36+Edg/103.0.1264.49 http://192.168.48.135/auth/ 200 0 0 39

Bonus Question: What is the web browser that the actor is using?

Answer:

The webshell is likely called "default.aspx". Default web pages don't appear in IIS logs, instead they just show their path.

The actor is using Edge 103 on Windows 10, this can be found by pasting the user agent into a user agent lookup.

iiswebshell

Blake .

#3 - Hiding aspx webshells

Question:

Answer:

#4 - IIS Port Usage

#2 - Writing to svcctl

Blake’s R&D