In today's digital landscape, webshell attacks pose a significant security threat to organizations worldwide. These attacks involve the deployment of malicious scripts on a web server, allowing attackers to:
Gain unauthorized access
Execute commands
Manipulate server resources
Webshells can be exploited for various malicious activities, such as data theft, system compromise, and further infiltration into an organization's network.
As web applications evolve in complexity, so do the techniques used in these attacks. Traditional security measures often fall short in detecting webshells due to their ability to blend in with legitimate web traffic and their minimal footprint on the server. Therefore, proactive detection and quick response are essential to mitigate these threats.
Prisma Cloud, a comprehensive cloud-native security platform, offers advanced tools and techniques for detecting webshell threats. Its deep integration with cloud infrastructure provides an edge in identifying and mitigating these threats, thanks to its robust set of security features designed specifically for cloud environments and applications.
Start by downloading the custom VM image here and extracting it locally. Once extracted, import it to your Google Cloud Project (GCP) using the following command. Replace the placeholders for your project and file location accordingly.
gcloud compute images import --project=pcc-ce-1 --source-file=<path>/disk.raw --os=ubuntu-1804 webshell-apache-ubuntu18
Expected output:
==============================
Copying [disk.raw] to [gs://pcc-ce-1-daisy-bkt/
WARNING: Importing image. This may take up to 2 hours.
Logs are available at: [https://console.cloud.google.
…
…
[import-image]: 2024-05-13T23:25:00Z The boot disk can boot with either BIOS or a UEFI bootloader. The default setting for booting is BIOS. If you want to boot using UEFI, please see https://cloud.google.com/
[import-image]: 2024-05-13T23:25:17Z Making disk bootable on Google Compute Engine
[import-image]: 2024-05-13T23:28:31Z Finished making disk bootable
==============================
Once the image is successfully imported, create a VM using the following configuration:
Machine type: "E2" / "e2-small (2vCPU, 2 GB memory)"
Boot disk type / Size: Balanced persistent disk / 12 GB
Identity and API Access:
Service account: "Compute Engine default service account"
Access scopes: "Allow default access"
Firewall:
Check "Allow HTTP traffic"
Check "Allow HTTPS traffic"
Figure 1: VM Created_PaloAltoNetworks
After creating the VM, SSH into it.
In your Prisma SaaS console, follow these steps:
Navigate to Manage → Defenders → Deploy → Defenders → Single Defender → Host Linux Defender.
Copy and paste the single defender deployment script on the webshell host (your VM).
Verify that the defender has connected by going to Manage → Defenders → Manage → Defenders.
Figure 2: Collections/Scope_
To detect webshell activity, follow these steps:
Go to Defend → Runtime → Host policy.
Add a new rule under the Anti-malware section.
Set the Webshell detection action to Alert.
Figure 3: Runtime Host Rule Configuration_PaloAltoNetworks
To simulate the webshell attack:
Open your browser and navigate to the following URL:
http://[Hostname/IP]/webshell.
This should display a field that allows you to execute Linux commands. The host IP will be your VM’s IP.
Run any basic Linux command (e.g., ps or ls -la) and view the output in the browser.
Alternatively, you can use a terminal:
curl "http://[Hostname/IP]/
To verify that Prisma Cloud has detected the webshell activity, follow these steps:
Go to Monitor → Events → Host → Host Audits.
Filter the event type for "Web Shell" to view the detection logs.
Webshell attacks continue to evolve, becoming more sophisticated and harder to detect with traditional security measures. Prisma Cloud provides a proactive, cloud-native solution for detecting and mitigating webshell threats. By leveraging its deep integration with cloud infrastructure and advanced threat detection capabilities, Prisma Cloud can identify webshell activity and alert security teams before damage is done.
By following the steps outlined in this guide, organizations can simulate webshell attacks and see firsthand how Prisma Cloud defends against these threats, ensuring a more secure cloud environment.
Vinay Kumar M is a seasoned professional with over 8 years of invaluable experience in the dynamic realm of cloud computing. As a Team lead, JAPAC CS Scale Team in PANW, Vinay specializes in navigating the intricate landscape of Prisma Cloud and Compute, showcasing his expertise in ensuring seamless operations for accounts across the Asia-Pacific region.
