ACSC Reverse Shells [0.1]
A findings under this detection indicates that a file with characteristics matching a known attacker reverse shell, as identified by the ACSC, has been found.
The ACSC disclosed in a recent advisory an increase in the use of leveraging proof-of-concept open source exploits, code and tools. Reverse shells are one of many tactics, techniques and procedures (TTPs) identified within this advisory.
A reverse shell can allow an attacker to remotely access internal systems to executive code and perform other activities. There are multiple ways for a reverse shell to be installed on a system, including through physical access, vulnerable external systems, users downloading and executing programs, or opening of malicious email attachments.
This search looks for any files which may suggest the presence of reverse shells as identified within ACSC advisory 2020-008, using intelligence provided by the ACSC and other sources including investigations performed by CyberCX and CrowdStrike. See the threat intelligence sources section below for further details. Hits are derived from the intelligence provided, and do not consider environmental factors specific to your computer or network environment.
CyberCX.ACSC.2020008.ReverseShells
The Threat intelligence sources used to develop these detections include:
- Those provided by the ACSC advisory 2020-008 on ‘Copy and Paste’ attacks, which are classified as Traffic Light Protocol (TLP) White.
- Investigations performed by the CyberCX DFIR team
- Investigations performed by CrowdStrike
- Contributions from the community
Any findings may not indicate confirmed compromise of your system, but might well be indicative of attacker activity. It is recommended to review each detection contextually to confirm if the finding is definitively malicious or a false positive. Guidance for how to approach these investigations is provided within this section.
This section provides general guidance on how to determine if a finding is indicative of malicious activity. Please note the specific detection results within the report generated by CCX Digger when conducting the investigation, as some of the content below may not be applicable for your system.
These guides do not consider contextual usage, such as environment, applications and expected activity for the computer. The review should consider what activity is expected in conjunction with webshell file detection results.
The ACSC have identified that attackers have been exploiting specific, unpatched versions of Telerik UI for ASP.NET AJAX to exploit the target host. This can allow an attacker to remotely execute arbitrary code onto the computer.
- Confirm that Telerik UI is running on the host. If so, refer to the ACSC advisory for guidance on detection, remediation and mitigation of this vulnerability.
If you have followed the investigations to confirm the validity of the findings, and believe your system may be at risk, please visit the Need Help? page for further instructions. Please refer to the same page for further context on how to use this wiki.
[v0.1]:
