Web Shell Hunting
2022-08-13, 11:00–15:00 (US/Pacific), Workshops (Virtual)

Web Shells are malicious web applications used for remote access. They've been used in many of the recent prominent breaches/vulnerabilities including Equifax, SolarWinds, and ProxyLogon and are used by APTs and other threats. With ProxyLogon, the FBI was authorized to remove them from victim machines.

This session will help you avoid telling your employer that the FBI is now doing volunteer admin work by teaching you about Web Shells, how to hunt for them, and doing hands-on hunting in a VM. A little groundwork goes a long way and this class will show what to do.


This workshop will provide the basics of what web shells are, how they are typically used, defensive strategies to prevent them, and ways they can be detected in different layers of security. The detection layers that will be covered are antivirus/endpoint protection, file integrity monitoring, file system analysis, log analysis, network traffic analysis, and endpoint anomaly detection.

Participants will be provided with a virtual machine image that they could both exploit with web shells and perform threat hunting on.

The breakdown is roughly this:
60-80 minutes - what web shells are, what they're used for, ways they can be detected
20 minutes - overview of my perspective on what web threat hunting is and how it varies from conventional threat hunting (TLDR - if you're on the internet, you're always going to be attacked so it's not a matter of picking up an unknown threat so much as filtering through evidence to determine if an attack is actually dangerous)
90+ minutes - hands-on exercises covering various ways to detect web shells such as file integrity monitoring, deobfuscation, YARA, dirty words, time stomping, etc. And then exploiting a vulnerable application and uploading a Web Shell and showing how it can be used to plunder data.

Joe Schottman has worn most hats in IT and Security, ranging from application development to DevOps to offensive and defensive security. The nexus of this experience is research into Web Shells. He's spoken and given training on topics such as Purple Teams, API security, Web Shells, Web Threat Hunting, and more at AppSec Village at DEF CON, OWASP Global, SANS Summits, various BSides, Circle City Con, and other events.