Webshell Attacks: Setup and Detection with Prisma Cloud

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L2 Linker
No ratings

By Vinay Kumar M, Team Lead

 

In today's digital landscape, webshell attacks pose a significant security threat to organizations worldwide. These attacks involve the deployment of malicious scripts on a web server, allowing attackers to:

  • Gain unauthorized access

  • Execute commands

  • Manipulate server resources

 

Webshells can be exploited for various malicious activities, such as data theft, system compromise, and further infiltration into an organization's network.

 

As web applications evolve in complexity, so do the techniques used in these attacks. Traditional security measures often fall short in detecting webshells due to their ability to blend in with legitimate web traffic and their minimal footprint on the server. Therefore, proactive detection and quick response are essential to mitigate these threats.

 

Introducing Prisma Cloud for Webshell Detection

 

Prisma Cloud, a comprehensive cloud-native security platform, offers advanced tools and techniques for detecting webshell threats. Its deep integration with cloud infrastructure provides an edge in identifying and mitigating these threats, thanks to its robust set of security features designed specifically for cloud environments and applications.

 

Step-by-Step Guide: Detecting Webshell Attacks with Prisma Cloud

 

1. Download the Custom VM Image

 

Start by downloading the custom VM image here and extracting it locally. Once extracted, import it to your Google Cloud Project (GCP) using the following command. Replace the placeholders for your project and file location accordingly.

 

gcloud compute images import --project=pcc-ce-1 --source-file=<path>/disk.raw --os=ubuntu-1804 webshell-apache-ubuntu18


Expected output:

 

=============================================================================

Copying [disk.raw] to [gs://pcc-ce-1-daisy-bkt/tmpimage/23d198c3-8aad-4086-87f2-cd2307f31e7d-disk.raw]...done.

WARNING: Importing image. This may take up to 2 hours.

 

Logs are available at: [https://console.cloud.google.com/cloud-build/builds;region=us-central1/7b5xxxxxxx39-b8d0-axxxxxx?project=9xxxxxxxxxxx ].

 


[import-image]: 2024-05-13T23:25:00Z The boot disk can boot with either BIOS or a UEFI bootloader. The default setting for booting is BIOS. If you want to boot using UEFI, please see https://cloud.google.com/compute/docs/import/importing-virtual-disks#importing_a_virtual_disk_with_uefi_bootloader '.

 

[import-image]: 2024-05-13T23:25:17Z Making disk bootable on Google Compute Engine

 

[import-image]: 2024-05-13T23:28:31Z Finished making disk bootable

=============================================================================

 

2. Create a VM Using the Imported Image

 

Once the image is successfully imported, create a VM using the following configuration:

  • Machine type: "E2" / "e2-small (2vCPU, 2 GB memory)"

  • Boot disk type / Size: Balanced persistent disk / 12 GB

  • Identity and API Access:

    • Service account: "Compute Engine default service account"

    • Access scopes: "Allow default access"

  • Firewall:

    • Check "Allow HTTP traffic"

    • Check "Allow HTTPS traffic"

 
unnamed.png

Figure 1: VM Created_PaloAltoNetworks

 

3. SSH into the VM and Deploy Prisma Cloud Defender

 

After creating the VM, SSH into it.

 

In your Prisma SaaS console, follow these steps:

  1. Navigate to Manage → Defenders → Deploy → Defenders → Single Defender → Host Linux Defender.

  2. Copy and paste the single defender deployment script on the webshell host (your VM).

  3. Verify that the defender has connected by going to Manage → Defenders → Manage → Defenders.


4. Create a collection to isolate this host.

 

unnamed.png

Figure 2: Collections/Scope_PaloAltoNetworks

 

5. Configure Prisma Cloud for Webshell Detection

 

To detect webshell activity, follow these steps:

  1. Go to Defend → Runtime → Host policy.

  2. Add a new rule under the Anti-malware section.

  3. Set the Webshell detection action to Alert.

 

 
unnamed.png

Figure 3: Runtime Host Rule Configuration_PaloAltoNetworks

 

6. Trigger the Webshell Attack

 

To simulate the webshell attack:

  1. Open your browser and navigate to the following URL:

http://[Hostname/IP]/webshell.php
This should display a field that allows you to execute Linux commands. The host IP will be your VM’s IP.

  1. Run any basic Linux command (e.g., ps or ls -la) and view the output in the browser.

Alternatively, you can use a terminal:

curl "http://[Hostname/IP]/webshell.php?cmd=ls+-la;"

 

7. Monitor Prisma Cloud for Detection Events

 

To verify that Prisma Cloud has detected the webshell activity, follow these steps:

  1. Go to Monitor → Events → Host → Host Audits.

  2. Filter the event type for "Web Shell" to view the detection logs.

 

 
unnamed.png
 Figure 4: Events Generated in Prisma Cloud_PaloAltoNetworks

 

Conclusion

 

Webshell attacks continue to evolve, becoming more sophisticated and harder to detect with traditional security measures. Prisma Cloud provides a proactive, cloud-native solution for detecting and mitigating webshell threats. By leveraging its deep integration with cloud infrastructure and advanced threat detection capabilities, Prisma Cloud can identify webshell activity and alert security teams before damage is done.

 

By following the steps outlined in this guide, organizations can simulate webshell attacks and see firsthand how Prisma Cloud defends against these threats, ensuring a more secure cloud environment.


Reference Documents

 

 

About the Author

 

Vinay Kumar M is a seasoned professional with over 8 years of invaluable experience in the dynamic realm of cloud computing. As a Team lead, JAPAC CS Scale Team in PANW, Vinay specializes in navigating the intricate landscape of Prisma Cloud and Compute, showcasing his expertise in ensuring seamless operations for accounts across the Asia-Pacific region.

Rate this article:
  • 313 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎11-22-2024 02:26 PM
Updated by: