Analysis of an incident involving a web shell used as a backdoor
NetmanageIT OpenCTI - opencti.netmanageit.com

SUMMARY :
A SOC investigation uncovered a web shell attack on a government SharePoint server in Southeast Asia. The attackers used certutil to download an ASPX payload disguised as a 404 page, then employed Potato tools for privilege escalation. Analysis revealed the web shell to be Behinder, a modular backdoor with encrypted communication capabilities. The incident highlights the importance of memory-based threat detection and continuous learning for SOC teams. A YARA rule was developed to identify similar payloads, and indicators of compromise were provided.
OPENCTI LABELS :
web shell,behinder,godpotato,badpotato,privilege escalation,southeast asia,memory-based threats,sweetpotato,potato tools
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Analysis of an incident involving a web shell used as a backdoor