#event_simpleName: ScriptControlDetectInfo This event will show the full path and file name of the script written to disk, along with the process that wrote the script. This event shows the evaluated content from the eval function that was obfuscated within the original script content shown in Figure 8. This gives analysts immediate visibility into what the web shell does without manual deobfuscation.
{
"#event_simpleName": "ScriptControlDetectInfo",
"ScriptContent": "<?php [...trimmed for brevity...] eval(htmlspecialchars_decode(gzinflate(base64_decode($XtnR)))); ?>",
"ImageFileName": "/usr/sbin/apache2"
}{
"#event_simpleName": "PhpEvalString",
"PhpEvalContent": "?><?phpnerror_reporting(0);nhttp_response_code(404);nfunction decrypt($encryptedData) { /* AES-256-CBC decryption */ }nif (decrypt('jFmSkTCWn5zcll7d3dHObg')){ echo "/7ZC2gHDStsE4z8Z0cifN3B+C/UO2vClZymoftbo/scHScvWfgNerZjP2hTO3Obd"; exit; }n$auth_key = "5a8c9a20daaef1947b0e9dee69622dc8";n/* User-agent filtering and authentication logic */n[...trimmed for brevity...]"
}aid=120da82da60d444d90dbc4f70df11660 (TargetProcessId=1761176184180866943 OR ContextProcessId=1761176184180866943) #event_simpleName=/ScriptControl|PhpExecuteScript|PhpBase64Decode|PhpEvalString|NewScriptWritten/
{
"#event_simpleName": "PhpExecuteScript",
"TargetFileName": "/var/www/html/uploads/cache.php"
}
We can further filter this down to investigate the disk operation shown in the detection by appending #event_simpleName to the pre-populated query:
#event_simpleName: NewScriptWritten
This event shows full contents of the script that triggered the detection along with the full process ancestry. We can see that the script content shown in this event does not decode the contents of the eval function.
#event_simpleName: PhpEvalString
This query results in multiple correlated events that allow the analyst to investigate the detection:
#event_simpleName: PhpExecuteScript{
"#event_simpleName": "NewScriptWritten",
"ContextBaseFileName": "apache2",
"FileName": "cache.php",
"FilePath": "/var/www/html/uploads/"
}
This event shows the PHP file that has been executed.
Similar Posts
How to Convert Markdown (.MD) Files to PDF on Linux
Markdown (.MD) files are a favorite among developers, writers, and content creators due to their simplicity…
4 Ways to Check Plugged USB Device Name in Linux
As a newbie, one of the many things you should master in Linux is identifying the…
Handling Errors and Adding Logging for VMware Automation (PowerCLI & Python)
Learning Objectives Below is a PowerShell script that wraps key actions in error handling and logs…
CrowdStrike Tailors Adversary Intelligence to Customer Environments
This enhanced workflow turns every indicator into actionable intelligence so teams can conduct smarter, faster investigations….
8 Linux Commands to Diagnose Hard Drive Issues in Linux
As a Linux expert with over a decade of experience managing servers, I have seen how…