Contact

Analysis of an incident involving a web shell used as a backdoor

NetmanageIT OpenCTI - opencti.netmanageit.com

Analysis of an incident involving a web shell used as a backdoor



SUMMARY :

A SOC investigation uncovered a web shell attack on a government SharePoint server in Southeast Asia. The attackers used certutil to download an ASPX payload disguised as a 404 page, then employed Potato tools for privilege escalation. Analysis revealed the web shell to be Behinder, a modular backdoor with encrypted communication capabilities. The incident highlights the importance of memory-based threat detection and continuous learning for SOC teams. A YARA rule was developed to identify similar payloads, and indicators of compromise were provided.

OPENCTI LABELS :

web shell,behinder,godpotato,badpotato,privilege escalation,southeast asia,memory-based threats,sweetpotato,potato tools


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Analysis of an incident involving a web shell used as a backdoor