stefankittel
Mar 08, 2021, updated at Mar 09, 2021 (UTC)
view2909
view1
2
Goto Top

Version von detect webshells ps1 zur Nutzung mit einem RMM

GermanGeneralExchange ServerMicrosoft
Hallo,

ich habe mal die aktuelle Version von detect_webshells.ps1 für Solarwinds MSP RMM angepasst.

Dafür habe ich die Ausgabe auf eine Zeile reduziert und gebe einen Exit-Wert aus.
Damit erkennt das RMM ob alles OK ist oder etwas gefunden wurde.

Ausgabe nur 1 Zeile
0 = Alles OK
0 = Fehler

Damit läuft diese Prüfung täglich.

Viele Grüße

Stefan

detect_webshells_smsprmm_100.ps1
# Detect webshells dropped on Microsoft Exchange servers after 0day compromises 
# https:{{comment_single_line_double_slash:0}}
#
# Modified by Stefan Kittel to use with solarwinds msp
#
# version 1.00 - 08.03.2021
#

if (!(Test-Path -PathType Container "$($env:exchangeinstallpath)/Frontend")) {  
    Write-Host "Could not detect Exchange installation directory"  
    exit 1001
}

##
## 1. iterate over files in inetpub/wwwroot and consider everything suspicious
##

$inetpubs = @()

# inetpub is usually located at "$($env:systemdrive)/inetpub"  
$path = "$($env:systemdrive)/inetpub/wwwroot/aspnet_client".ToLower()  
if ( Test-Path -PathType Container $path ) {
    $inetpubs += $path
}

# but IIS might be pointing to a different place
try {
    $inetpubs = $inetpubs + (Get-WebFilePath 'IIS:\Sites\Default Web Site\aspnet_clients').FullName.ToLower() | select -Unique  
} catch {
    # e.g. Default Web Site might have been removed from IIS
}

# some IIS have useless web.config files in inetpub for legacy reasons
$files = Get-ChildItem $inetpubs -Recurse -File | Where-Object { $_.Name -ne "web.config" }  
if ($files) {
    Write-Host "Found suspicious files (not used by Exchange, typical webshell location) - run script on machine to get detailed informations"  
	exit 1002
}

# web.config can hold backdoor itself though, so filter out legacy ones

# hashes of false positive web.config files
$false_positives = $(
# <?xml version="1.0" encoding="UTF-8"?>  
# <configuration>
# <system.webServer>
# <httpRedirect enabled="false" />  
# </system.webServer>
# </configuration>
    "5470EAFEB40805AC58B13DE3EB64BEA6200C5446E37A21E7674913F2ADF5C089",  
#
# <?xml version="1.0" encoding="UTF-8"?>  
# <configuration>
# <system.webServer>
# <httpRedirect enabled="true" />  
# </system.webServer>
# </configuration>
    "843A6D81A3BE784755EF1340F224465CD9AA51E7A71D4153048307F8E1AA7C15",  
#
# <configuration>
# <system.webServer>
# <httpRedirect enabled="false" destination="" childOnly="false" />  
# </system.webServer>
# </configuration>
    "6625962A82913289FEFDC17E12BB44360898C12D0DBD3E47B0A9345ED99C887D",  
#
# <configuration>
# <system.webServer>
# <httpRedirect enabled="true" destination="" childOnly="false" />  
# </system.webServer>
# </configuration>
    "0B996ADC7D510FCCEB253DC8B56AAA487840DD84EECD022F8F3A36EB0A6FD9F6"  
)

# go through web.config's, filter out the ones with hashes different from the ones listed above  
$hashes = Get-ChildItem $inetpub -Recurse -File |
  Where-Object { $_.Name -eq "web.config" } |  
  ForEach-Object { Get-FileHash -Algorithm sha256 $_.FullName } |
  Where-Object { $_.Hash -notin $false_positives }

if ($hashes) {
    Write-Host "Found web.config files - run script on machine to get detailed informations"  
	exit 1003
}


##
## 2. iterate over files in frontend and look for webshell IoC's  
##

$keywords = @(
    # interpreters used in webshells and not used by Exchange
    'wscript',  
    'vbscript',  
    'visualbasic',  
    'jscript',  
    # evals & co
    'eval\s?\(',  
    'process\s?\(',  
    'eval_r',  
    'executestatement',  
    'processstartinfo',  
    'os.run',  
    'oscript.run',  
    'oshell.run',  
    # encoding, smuggling
    'convert.frombase64string',  
    'request.headers',  
    'createobject',  
    # file managers / droppers
    'filesystemobject',  
    'httppostedfile',  
    'system.io.file',  
    'writealltext',  
    # command execution
    'cmd.exe',  
    'cmd /c',  
    'powershell.exe',  
    # post exploitation
    'net user',  
    'net group',  
    'lsass.exe',  
    'procdump',  
    'whoami',  
    'ping.exe',  
    # csharp webshells
    'new socket',  
    'binarywrite'  
    # SharPyShell
    'assembly.load',  
    'compileassemblyfromsource',  
    'aesenc',  
    # generic tags
    'webshell')  

$directory = "$($env:exchangeinstallpath)/Frontend"  
$matches = dir -Recurse $directory | Select-String -Pattern $keywords
if ($matches) {
    Write-Host "Found suspicious files in Exchange frontend dir and they match functions used by known webshells -  - run script on machine to get detailed informations"  
	exit 1004
}

Write-Host "No webshells found, but they might have been removed or attackers might have used other persistence techniques"  
exit 0
comment-contentCommentShareShare
Share on Facebook Share on Twitter Share on Reddit Share on Linkedin

Content-Key: 660586

Url: https://administrator.de/contentid/660586

Printed on: April 18, 2024 at 08:04 o'clock

1 Comment
Goto Top
Member: Coreknabe
Coreknabe Mar 09, 2021 at 06:58:39 (UTC)
Goto Top
Hi Stefan,

vielen Dank, dass Du das hier teilst!

Gruß
GermanGeneralExchange ServerMicrosoft
Hotly discussed
AlexWishaHow to set up and configure a Linux GRE tunnelAlexWisha - 3 CommentsDaniEnd of Support dates for Office 2016, 2019 Apps und Productivity ServersDani - 1 Comment