Research

CVE-2021-4436 -> Godzilla Web Shell

Original research credit: TheDFIReport

In this report we will learn about the Godzilla web shell, about what artifacts it generates, and what detection rules can be created based on those artifacts. As always, I recommend reading the entire original research at the top of the page.

TL;DR Summary

  • This case involved the exploitation of the WordPress plugin 3DPrint Lite (CVE-2021-4436) to deploy a Godzilla web shell.
  • Over a 6-hour period the threat actor accessed the web shell to run various LOLBins and run the scripts 1.sh (LinEnum) and Dirty-Pipe.sh.
  • The threat actor attempted to use Dirty-Pipe.sh to exploit the vulnerability CVE-2022-0847 but was not successful after multiple attempts.

Linux Artifacts

Event IDChannelDetails
Presented in original research.

Required logging

Event IDChannelDetails
SYSCALL AUDITSystem calls are the interface between user space and the kernel, allowing user processes to request services from the operating system kernel. When a user process makes a system call, it triggers a transition from user mode to kernel mode, where the requested operation is performed.
EXECVE AUDITThe EXECVE event in Linux refers to the execution of a new program by a process using the execve() system call. When a process invokes execve() with the path to an executable file and an array of arguments, it replaces its current memory image with the memory image of the specified program. In other words, execve() loads and executes a new program within the context of the calling process.

Detection Rules

Rule NameDescription Detection Logic
Unusual User Privilege Enumeration via idThis rule monitors for a sequence of 20 “id” command executions within 1 second by the same parent process. This behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These scripts leverage the “id” command to enumerate the privileges of all users present on the system.[process where host.os.type == “linux” and event.action == “exec” and event.type == “start” and    process.name == “id” and process.args_count == 2 and    not (process.parent.name == “rpm” or process.parent.args : “/var/tmp/rpm-tmp*”)] with runs=20
Possible LinEnum Enumeration CommandsDetects commands that are a part of the “LinEnum” enumeration script.Event.Type = “EXECVE” AND “Command” CONTAINS grep “(adm)” || grep -v ‘^[^:]*:[x]’ /etc/passwd || cat /etc/master.passwd || grep -v -e ‘^$’ /etc/sudoers || cat /etc/shells || grep “^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD” /etc/login.defs || mysqladmin -uroot -proot version || grep -rl “PRIVATE KEY—–” /home || grep -rli “aws_secret_access_key” /home || find / -name “.git-credentials” || ls -la ~/.*_history || grep -i docker /proc/self/cgroup ||  
Privilege Escalation Attempt with “find”Searches the entire file system starting from the root directory for files that have full permissions (read, write, and execute) for the owner, group, and othersEvent.Type = “EXECVE” AND “Command” CONTAINS “Find” && “-perm” && 0777
Timestomping Attempts DetectionThis command allows you to modify a file’s timestamp without modifying its contents.Event.Type = “EXECVE” AND “Command” CONTAINS “Touch”