Due to their prevalence in today's society, the internet and other types of networks have become a hub for criminal activity. Often times cyber criminals or other type of threat actors attempt to install or otherwise implement web shell applications on unsuspecting systems.
In operation, web shells are uploaded to a target machine and used as a vector to exploit the target's systems. Web shells may exploit the target's systems by, for example, opening a connection from the target system to one or more outside services that allow an attacker to issue commands to the system. Web shells may additionally or alternatively modify the target system to facilitate other exploits, escalate privileges, and map the targeted system. If web shells are successful, they may allow threat actors to bypass security systems and gain unauthorized access to the system.
Existing techniques for combating web shells generally rely on a set of manually defined rules, traffic detection, or other existing information around attacks. For example, one existing technique generates a “signature” of a suspected application file and compares the signature to a database of known web shells. In other techniques, a sample of shells is taken, and heuristics are built based on common patterns. However, these techniques are highly vulnerable to shifts in attacker behavior or tools. Additionally, existing techniques often require the file to be running to discover if the file is malicious and to discover if it has affected a system.
A need exists, therefore, for methods and systems that can detect web shell applications that overcome the above mentioned disadvantages.