Target. Hunt. Disrupt.

Threat Hunting for Web Shells

Threat Hunting for Web Shells-1.jpg

Learn several different methods to threat hunt for web shells on your network.

Imagine an attacker having command line access to your web server through an executable hidden amongst thousands of legitimate files. Web shells are in a category of their own compared to other malicious things because they are very hard to fight using signature detection like an IDS/IPS.


Meet Your Presenters 

Danny Akacki, Threat Hunter, Fortune 50 Bank

danny.jpgDanny currently works as part of a hunt team at a Fortune 50 Financial Services company. He’s part of the company's hunt team within their SOC that’s dedicated to proactively seeking out threats. In the past, Danny has worked as a hunter at Mandiant and has spent the past four years working in threat hunting and incident response. 

Paul Bartruff, Information Security Engineer, Sqrrl

Paul.pngPaul currently works at Sqrrl advising enterprises who are adopting advanced cyber security technologies. Previously, Paul has worked as an incident responder, forensic analyst and reverse engineer providing technical insight into targeted and non-targeted attacks at Lockheed Martin, SAIC, and FireEye.


In this session you’ll learn:

  • About the most popular web shells seen in the wild
  • Obfuscation methods used by attackers to avoid detection
  • Three "how to hunt for" web shells examples and key pivots

You can download the slides for this training here.

After this training, you'll know how to:

  • Hunt #1 | ‪Look for evidence of an attacker uploading or logging in to a web shell on one of our web servers.
  • Hunt #2 | Find obscure or out of date user agents that aren’t seen very often on your network.
  • Hunt #3 | Look for common web shells that allow an attacker to use basic authentication not using SSL.

Share a few contact details to view the on-demand webcast: