- Course
Sandworm: Web Shell Detection
Discover how to detect Advanced Persistent Threat (APT) Actors such as Sandworm’s use of web shells on vulnerable web applications for remote code execution, file upload, persistent access, and more.
Intermediate
- Course
Sandworm: Web Shell Detection
Discover how to detect Advanced Persistent Threat (APT) Actors such as Sandworm’s use of web shells on vulnerable web applications for remote code execution, file upload, persistent access, and more.
Intermediate
Get started today
Access this course and other top-rated tech content with one of our business plans.
Try this course for free
Access this course and other top-rated tech content with one of our individual plans.
This course is included in the libraries shown below:
- Security
What you'll learn
During the 2016 Ukraine Electric Power Attack, the Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests. Adversaries often communicate with their targets using application layer protocols associated with web traffic. This avoids detection by blending in with existing traffic because commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Protocols such as HTTP(S)] that carry web traffic are very common in most environments and the packets using these protocols have many fields and headers in which data can be hidden. In this course, you’ll learn how to detect how APTs take advantage of common web protocols to establish complex command and control networks to maintain persistence and to remain stealthy.
Sandworm: Web Shell Detection
Intermediate
Table of contents
Michael Teske is an Author Evangelist with Pluralsight helping people elevate their skills. He has 20+ years of experience in IT Ops, including 17 as an IT instructor at a community college.