Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Jack Crook Profile picture
Jack Crook
@jackcr
Principal Incident Responder for GE-CIRT and finder of bad guys - Former US Army Infantryman. Desert Storm and Somalia Veteran. #ThreatHunting #DFIR
Mar 9, 2021 7 tweets 3 min read
Given recent activity, here's a thread on webshells from a behavioral perspective. Based on my experience over the years I can say the following is true:
- The src ip of the attacker will be seen on few webservers
- The uri of the webshell is likely to be rare
#DFIR 1/? - There will likely be few uri's visited on the webserver from attacker's ip (< 4)
- With every command issued the response bytes will likely be different
- There will be a high percentage of unique byte counts (think response to different commands issued).
#DFIR 2/?