Goto Top

Version von detect webshells ps1 zur Nutzung mit einem RMM


ich habe mal die aktuelle Version von detect_webshells.ps1 für Solarwinds MSP RMM angepasst.

Dafür habe ich die Ausgabe auf eine Zeile reduziert und gebe einen Exit-Wert aus.
Damit erkennt das RMM ob alles OK ist oder etwas gefunden wurde.

Ausgabe nur 1 Zeile
0 = Alles OK
0 = Fehler

Damit läuft diese Prüfung täglich.

Viele Grüße


# Detect webshells dropped on Microsoft Exchange servers after 0day compromises 
# https:{{comment_single_line_double_slash:0}}
# Modified by Stefan Kittel to use with solarwinds msp
# version 1.00 - 08.03.2021

if (!(Test-Path -PathType Container "$($env:exchangeinstallpath)/Frontend")) {  
    Write-Host "Could not detect Exchange installation directory"  
    exit 1001

## 1. iterate over files in inetpub/wwwroot and consider everything suspicious

$inetpubs = @()

# inetpub is usually located at "$($env:systemdrive)/inetpub"  
$path = "$($env:systemdrive)/inetpub/wwwroot/aspnet_client".ToLower()  
if ( Test-Path -PathType Container $path ) {
    $inetpubs += $path

# but IIS might be pointing to a different place
try {
    $inetpubs = $inetpubs + (Get-WebFilePath 'IIS:\Sites\Default Web Site\aspnet_clients').FullName.ToLower() | select -Unique  
} catch {
    # e.g. Default Web Site might have been removed from IIS

# some IIS have useless web.config files in inetpub for legacy reasons
$files = Get-ChildItem $inetpubs -Recurse -File | Where-Object { $_.Name -ne "web.config" }  
if ($files) {
    Write-Host "Found suspicious files (not used by Exchange, typical webshell location) - run script on machine to get detailed informations"  
	exit 1002

# web.config can hold backdoor itself though, so filter out legacy ones

# hashes of false positive web.config files
$false_positives = $(
# <?xml version="1.0" encoding="UTF-8"?>  
# <configuration>
# <system.webServer>
# <httpRedirect enabled="false" />  
# </system.webServer>
# </configuration>
# <?xml version="1.0" encoding="UTF-8"?>  
# <configuration>
# <system.webServer>
# <httpRedirect enabled="true" />  
# </system.webServer>
# </configuration>
# <configuration>
# <system.webServer>
# <httpRedirect enabled="false" destination="" childOnly="false" />  
# </system.webServer>
# </configuration>
# <configuration>
# <system.webServer>
# <httpRedirect enabled="true" destination="" childOnly="false" />  
# </system.webServer>
# </configuration>

# go through web.config's, filter out the ones with hashes different from the ones listed above  
$hashes = Get-ChildItem $inetpub -Recurse -File |
  Where-Object { $_.Name -eq "web.config" } |  
  ForEach-Object { Get-FileHash -Algorithm sha256 $_.FullName } |
  Where-Object { $_.Hash -notin $false_positives }

if ($hashes) {
    Write-Host "Found web.config files - run script on machine to get detailed informations"  
	exit 1003

## 2. iterate over files in frontend and look for webshell IoC's  

$keywords = @(
    # interpreters used in webshells and not used by Exchange
    # evals & co
    # encoding, smuggling
    # file managers / droppers
    # command execution
    'cmd /c',  
    # post exploitation
    'net user',  
    'net group',  
    # csharp webshells
    'new socket',  
    # SharPyShell
    # generic tags

$directory = "$($env:exchangeinstallpath)/Frontend"  
$matches = dir -Recurse $directory | Select-String -Pattern $keywords
if ($matches) {
    Write-Host "Found suspicious files in Exchange frontend dir and they match functions used by known webshells -  - run script on machine to get detailed informations"  
	exit 1004

Write-Host "No webshells found, but they might have been removed or attackers might have used other persistence techniques"  
exit 0

Content-Key: 660586


Printed on: May 5, 2024 at 00:05 o'clock

Member: Coreknabe
Coreknabe Mar 09, 2021 at 06:58:39 (UTC)
Goto Top
Hi Stefan,

vielen Dank, dass Du das hier teilst!
