From the course: Complete Guide to Open Source Security
Join today to access over 24,500 courses taught by industry experts.
Detecting web shells with Wazuh
From the course: Complete Guide to Open Source Security
Detecting web shells with Wazuh
- Often an attack will upload and then use a web shell as its foothold into our system. Web shells are difficult to detect as they're easily modified by attackers and can use encryption and coding and obfuscation to change their signature. Let's look at the basics of a web shell. I've installed one in the web route. Let's have a look at it. This is a simple shell, which outputs a text box for us to input a command, and then executes the command. Let's do that. We'll go to local host slash shelly dot php and we'll enter who am I and execute it. And we get the answer www data. We'll come back to this, but now let's install the Audit D tool to provide enhanced logging so that we can improve our detection of web shells. And we do that with sudo apt install auditd. Audit D by default, doesn't check for execution of web shell commands, but will create a rule for this by checking for any command which is executed under the www data account. We'll need to check the unique identifier of www…
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
-
-
-
-
-
-
(Locked)
Installing the Wazuh SIEM5m 24s
-
(Locked)
Installing a Wazuh Linux agent3m 20s
-
(Locked)
Installing a Wazuh Windows agent1m 32s
-
(Locked)
Collecting Nginx logs in Wazuh5m 20s
-
(Locked)
Monitoring an attack with Wazuh4m 48s
-
(Locked)
Detecting web shells with Wazuh7m 42s
-
(Locked)
Activating vulnerability scanning3m 45s
-
(Locked)
-
-
-
-
-
-
-