A web shell is a malicious interface that enables remote access and control to a web server by allowing the execution of arbitrary commands. A web shell can be uploaded to a web server to enable remote access to the web server. You know that certain attacks, such as those perpetrated by the HAFNIUM group, use web shells. You would like an automated way to remove any web shells created during exploitation so that you don't forget about them.
Microsoft: Windows event data
How to use Splunk software for this use case
This playbook formats a block containing a “more” command that extracts the contents of the .aspx file, which contains the webshell. This combines the “more” command with the webshell file path picked up in the event. Next, it runs the more command against the Exchange Server picked up in the event. Then it formats a delete command, and appends the file path from the event. Finally, it runs the delete command on the Exchange server. To use the playbook:
- Run the Detect Exchange Web Shell detection in the HAFNIUM Group analytic story in Splunk Enterprise Security.
- Enable the Send to Phantom Adaptive Response Action in the Enterprise Security correlation search. After a web shell is written, the detection sends the event to Splunk SOAR.
- If you haven't previously used this playbook, configure and activate it.
- Navigate to Home > Playbooks and search for delete_detected_files. If it’s not there, click Update from Source Control and select Community to download new community playbooks.
- Click the playbook name to open it.
- Resolve the playbook import wizard and set the playbook to Active.
- Save the playbook and then run it.
If you haven't patched your Exchange servers, the attackers can return and create more webshells. You should patch your servers, but in addition, you can set the playbook to automatically trigger whenever new webshells are detected to delete them as soon as they come in.
The content in this article comes from a previously published blog, one of the thousands of Splunk resources available to help users succeed. In addition, these resources might help you understand and implement this guidance:
- Blog: Detecting HAFNIUM Exchange Server zero-day activity in Splunk
- GitHub: Delete detected files playbook
Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.