Taggart Jul 21, 2023

Hey all, the recommended hunts for potential exploitation of CVE-2023-3519 involve searching for webshell-like files that are newer than the last patch of the system.

That's cool, and you should do it, but also be aware that timestomping is a very common technique used by attackers targeting *Nix systems with 0-days.

A more considered approach to hunting webshells may be valuable, such as entropy analysis within web-facing directories. And of course log analysis for abnormal commands post-exploitation.

#ThreatIntel #CVE20233519

MITRE ATT&CK vulnerability spotlight: Timestomping | Infosec Resources

MITRE Corporation is a non-profit and federally funded research and development center (FFRDC) that provides unbiased R&D and assessment services to

Infosec Resources
Show threadTaggart 

Not sure what I mean about file entropy analysis? Glad you asked!

My research indicates that obfuscated webshells are entropic enough to pop when analyzing webroots for common PHP apps like WordPress.

https://github.com/mttaggart/webshell-entropy

A tool you can use to scan yourself is Sandfly's entropy scanner: https://github.com/sandflysecurity/sandfly-entropyscan

GitHub - mttaggart/webshell-entropy: Demonstrating the value of entropy as a detection mechanism for obfuscated webshells.

Demonstrating the value of entropy as a detection mechanism for obfuscated webshells. - GitHub - mttaggart/webshell-entropy: Demonstrating the value of entropy as a detection mechanism for obfuscat...

GitHub
Jul 21, 2023 at 7:10pmWeb
Show threadTaggart Jul 21, 2023
And here's the actual video where I demo that this technique works: https://www.youtube.com/live/ev-v-NYEO1o
Live Research! | Webshell Entropy and #MachineLearning/#AI

YouTube