Intel Name: Investigating a web shell intrusion with trend micro managed xdr
Date of Scan: January 15, 2025
Impact: High
Summary: “Investigating A Web Shell Intrusion” details an incident where endpoint sensors detected suspicious activity from an IIS worker (w3wp.exe). The attacker uploaded a web shell to the IIS server, which was previously unrestricted. This allowed the attacker to create a new user account, modify an existing user’s password, and set up a reverse TCP shell using encoded PowerShell commands to connect to a command-and-control server. The investigation and response efforts were key to identifying and mitigating the attack.