Full Report
An additional issue has been discovered in the ASPX version of reDuh. Although the script did work as expected, it did not set the ScriptTimeout value. This resulted in reDuh terminating active connections once the page timeout had expired. This has been fixed in the ASPX version. A copy can be grabbed from here. More information regarding reDuh can be found here.
Analysis Summary
# Tool/Technique: reDuh (ASPX Version Fix)
## Overview
reDuh is a server-side component, historically mentioned in the context of web server exploitation or post-exploitation pivoting. The specific context provided discusses a fix for an identified issue in the ASPX (Active Server Pages eXtended) version of reDuh, where connections were being prematurely terminated due to an unset `ScriptTimeout` value.
## Technical Details
- Type: Tool
- Platform: ASP.NET Web Server (likely Windows Server environments running IIS hosting ASPX pages)
- Capabilities: Web shell/implant functionality, as suggested by the need to manage connection timeouts. The context implies it allows for maintaining active connections on a compromised web server.
- First Seen: The original tool context is prior to February 2009 (date of the article).
## MITRE ATT&CK Mapping
Since reDuh is a web shell/implant, its usage generally maps to initial access or execution post-exploitation on a web server.
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application
- (If used as the payload after vulnerability exploitation on a web application)
- **TA0002 - Execution**
- T1059.004 - Command and Scripting Interpreter: Windows Command Shell
- (If used to execute system commands via the ASPX interface)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
- (Using HTTP/HTTPS for C2 communication)
## Functionality
### Core Capabilities
- Execution of tasks or commands on the compromised web server via an ASPX interface.
- Maintenance of persistent sessions facilitated via HTTP requests.
### Advanced Features
- **Connection Management:** The specific fix addresses managing active connections by correctly setting the `ScriptTimeout` value in the ASPX implementation to prevent premature termination of established sessions by the server.
## Indicators of Compromise
*Note: As this summary focuses on a functional fix and not a specific incident, IOCs are general.*
- File Hashes: [Not provided in the context, must be obtained from the linked tool distribution.]
- File Names: Inferred to be `.aspx` script files related to reDuh.
- Registry Keys: [Not provided in the context.]
- Network Indicators: Connections to the compromised server hosting the reDuh ASPX page.
- Behavioral Indicators: Unusual invocation of system utilities or shell commands initiated through the ASPX script execution context.
## Associated Threat Actors
- Information in the provided context does not specify threat actors known to use this specific version, but web shells in general are used across the threat landscape.
## Detection Methods
- Signature-based detection: Signatures specific to the known reDuh ASPX script content.
- Behavioral detection: Monitoring for web requests that execute unexpected system shell commands or unusual process creation originating from the web server process (e.g., `w3wp.exe`).
- YARA rules: Rules targeting unique strings or code structure within the reDuh ASPX file.
## Mitigation Strategies
- Prevention measures: Implement strict Web Application Firewalls (WAFs) to filter malicious payloads attempting to upload or execute ASPX scripts.
- Hardening recommendations: Ensure all application settings (especially in IIS) are configured with appropriate security timeouts and restrict permissions for the application pool identity. Patching underlying vulnerabilities that allow the initial upload/execution of such scripts.
## Related Tools/Techniques
- Other ASP.NET based web shells (e.g., China Chopper variants, various ASPX shells).
- General web shells used for persistent access.