Skip to main content
Splunk Lantern

Web shell present in web traffic events

You might need to search your web data for a web shell in memory when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Your company uses SolarWinds Orion business software, which is vulnerable to the Supernova in-memory web shell attack. You know that because it runs in-memory, detection and forensic analysis post-breach are difficult. You want to search your web data to see if the web shell exists in memory. This is done by looking for calls to the known to be implemented and called in the trojanized versions of the API. Finding these in your web logs would be an indicator of compromise.

Option 1

To optimize the search shown below, you should specify an index and a time range. In addition, content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Web data model. For information on installing and using the CIM, see the Common Information Model documentation.

  1. Ensure that your deployment is ingesting endpoint logs from your various systems and populating the Web data model.
  2. Run the following search:
    | tstats count FROM datamodel=Web.Web WHERE
    web.url=*logoimagehandler.ashx*codes* OR
    Web.url=*logoimagehandler.ashx*clazz* OR
    Web.url=*logoimagehandler.ashx*method* OR
    Web.url=*logoimagehandler.ashx*args* groupby Web.src Web.dest Web.url
    Web.vendor_product Web.user Web.http_user_agent _time span=1s

     

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| tstats count FROM datamodel=Web.Web WHERE
web.url=*logoimagehandler.ashx*codes* OR
Web.url=*logoimagehandler.ashx*clazz* OR
Web.url=*logoimagehandler.ashx*method* OR
Web.url=*logoimagehandler.ashx*args* groupby Web.src Web.dest Web.url
Web.vendor_product Web.user Web.http_user_agent _time span=1s

Query the Web data model for the given urls and group the results by the fields shown.
 

Option 2

To optimize the search shown below, you should specify an index and a time range.  In addition, this sample search uses Stream HTTP data. You can replace this source with Bro/Zeek or any other data set that contains information around http and URI filenames and parameters used in your organization. 

  1. Ensure that you have installed and configured the Splunk App for Stream.
  2. Run the following search:
    sourcetype=stream:http 
    Dest_ip =< IP of SolarWinds system you are investigating>
    (url=*logoimagehandler.ashx*codes* OR Web.url=*logoimagehandler.ashx*clazz*
    OR Web.url=*logoimagehandler.ashx*method* OR
    Web.url=*logoimagehandler.ashx*args*)
    | table _time src_ip src_port dest_ip dest_port url transport status

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
sourcetype=stream:http  Search only Stream HTTP data.
Dest_ip =< IP of SolarWinds system you are investigating>

Search the system you want to investigate for this inbound traffic. 

(url=*logoimagehandler.ashx*codes* OR Web.url=*logoimagehandler.ashx*clazz*
OR Web.url=*logoimagehandler.ashx*method* OR
Web.url=*logoimagehandler.ashx*args*)
Search for these URLs being requested from the web client. 
| table _time src_ip src_port dest_ip dest_port url transport status Display the results in a table with columns in the order shown.

Result

If these URLs found in the web server logs are called successfully, you can assume that the web server is infected with the webshell.  Investigate further and then run your incident response plan to clean the web server of the malware.