The fileless webshell challenge
In-memory webshells exist only in the server process memory, writing nothing to disk. Traditional defenses (antivirus, FIM, static code analysis) are completely blind to them.
Detection techniques
1. Memory forensics: use Volatility or Rekall to analyze suspect server process memory. Look for unusual strings, executable memory regions not matching loaded modules, and deviations from a known baseline.
2. Process monitoring: watch for web server processes spawning shell subprocesses, unusual system calls (outbound connections, sensitive file reads), and abnormal memory consumption.
3. Behavioral traffic analysis: HTTP requests with unusually long or encoded parameters, POST requests to GET-only URLs, responses containing system command output, and regular traffic patterns to unknown external destinations.
4. Log correlation: HTTP requests immediately followed by filesystem access, repeated 500 errors followed by behavior change, and requests to non-existent URIs returning 200.
Recommended tools
Volatility 3 (memory analysis), YARA (memory detection rules), Sysmon/auditd (process monitoring), Zeek (network behavioral analysis).
Recommended reading
These are affiliate links. If you make a purchase through these links, we may earn a commission at no extra cost to you.
- CompTIA Security+ SY0-701: forensic analysis and malware detection tools.
- (ISC)2 CISSP Official Study Guide: SOC setup and advanced detection capabilities.
Sources
- F5 BIG-IP In-Memory Webshells - Help Net Security
Advertisement