• WebShell Attacks

Description

A common method of execution for this attack leverages vulnerabilities in a website (eg. SQL Injection, Remote File Inclusion) to remotely generate or install a file that will act as a WebShell. Once the WebShell is successfully installed, the remote attacker may then craft an HTTP POST request directly to the WebShell with embedded commands that will be executed as if the attacker had local (shell) access to the web server. 

Attackers that successfully use WebShells take advantage of the fact that many organizations do not have complete visibility into HTTP sessions. Traditional tools rely on signatures and are easily left blind by intentional obfuscation of payloads and commands. In order to effectively respond to WebShell attacks, defenders must maximize visibility into each stage of the attack lifecycle.

Customer values/problems solved

  • Without being able to reconstruct the entire HTTP session (request and response), traditional toolsets do not allow an investigator to see into enough of the attack lifecycle to understand the initial attack vector (Delivery, Exploit/Installation), what an attacker is doing (C2), and what the impact to the business is (Action).
  • A traditional logs-only SIEM has no way to alert on suspicious HTTP sessions of this nature unless a downstream signature-based tool such as an IDS/IPS or web proxy has seen the exact attack before. 
  • Furthermore, HTTP sessions cannot be reconstructed with log data alone, meaning a complete lack of visibility into C2 commands, data exfiltration, and initial entry vector.

Technologies

  • RSA NetWitness Suite

Partners

About Us

Global Data Centers is a division of NTT Ltd. Our global platform is one of the largest in the world. NTT is ranked as one of the top three leaders worldwide by IDC in their Colocation and Interconnection Services MarketScape, spanning more than 20 countries and regions including North America, Europe, Africa, India and APAC. As a neutral operator, we offer access to multiple cloud providers, a large variety of Internet Exchanges and telecommunication network providers including our own IPv6 compliant, tier 1 global IP network. Our clients benefit from tailored infrastructure and experience consistent best practices in design and operations across all of our reliable, scalable and customizable data centers.

Regional Contacts

Americas (RagingWire): +1 916 286 3000 
More Information
APAC:
More Information
EMEA (e-shelter / Gyron): +49 69 7801 2190
More Information
India (Netmagic): +1 800 103 3130
More Information