WebShell and Threat Intelligence

  • 2017-07-03
  • 129
  • 0

Good image, hope it could be useful for u.

And then, four points you need to pay a little attention:

  1. Traffic monitor
    • ”CaiDao” ‘s payload are all in request body.
    • “Weevely“‘s payload are all in cookie and spreate to make up again.
  2. File moitor
    • Always include system method
    • Encrypt is very common
  3. Attack origin
    • Tor network , proxy server is the common attack origin.
    • Night is the high frequency time
    • Someone do batch scan at night, unexpectedly it work.
  4. Attack method
    • Web leak and config issue occupy more.
    • One sentence Webshell and rebound shell occupy more.

Finally :

Created with Raphaël 2.1.0Threat IntelligenceThreat IntelligenceWebshell MonitorWebshell MonitorDefender websiteDefender websiteSirpSirpAttacker featurewebshell feature.Analyze system leakEmergency measuresCommunity dataLeak database