Full Spectrum Detections for 5 Popular Web Shells: Alfa, SharPyShell, Krypton, ASPXSpy, and TWOFACE

Full Spectrum Detections for 5 Popular Web Shells: Alfa, SharPyShell, Krypton, ASPXSpy, and TWOFACE

insikt-logo-blog.png
Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

This report provides a technical overview of 5 prominent web shells: Alfa, Krypton, SharPyShell, ASPXSpy, and TWOFACE. It contains details on the capabilities of the web shells and host-based and network-based detections. This report is intended for security operations audiences who focus on detection engineering. Sources include the Recorded Future Platform®, GreyNoise, Shodan, and BinaryEdge.

Executive Summary

Web shells are common and powerful tools used by threat actors to maintain access to public-facing web servers. They are lightweight, sometimes containing as few as 4 lines of code, and let threat actors execute secondary payloads, escalate privileges, exfiltrate data, and move laterally within the compromised network. Web shells often go undetected due to the small footprint left during their use, an organization’s limited visibility of their public-facing servers, and the ability for web shell-associated network traffic to blend in with normal web server activity. Our research provides a full-spectrum approach to detecting web shells, combining log analysis, network analysis, and web shell scanning techniques. We focus on a subset of web shells recently used by state-sponsored and criminal threat actors: Alfa, SharPyShell, Krypton, ASPXSpy, and TWOFACE. Our methodology and detections can be applied internally for defenders but also by security researchers hunting for the presence of web shells on externally facing servers.

Key Judgments

Editor’s Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.