{
  "name": "Analysis of an incident involving a web shell used as a backdoor",
  "slug": "analysis-of-an-incident-involving-a-web-shell-used-as-a-backdoor",
  "description": "A SOC investigation uncovered a web shell attack on a government SharePoint server in Southeast Asia. The attackers used certutil to download an ASPX payload disguised as a 404 page, then employed Potato tools for privilege escalation. Analysis revealed the web shell to be Behinder, a modular backdoor with encrypted communication capabilities. The incident highlights the importance of memory-based threat detection and continuous learning for SOC teams. A YARA rule was developed to identify similar payloads, and indicators of compromise were provided.",
  "published": "2025-02-28T13:30:27+00:00",
  "created_at": "2025-02-28T13:30:27+00:00",
  "modified_at": "2025-03-03T15:00:41+00:00",
  "created_at_opencti": "2025-02-28T13:30:27+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-02-28",
    "badpotato",
    "behinder",
    "godpotato",
    "memory-based threats",
    "potato tools",
    "privilege-escalation",
    "southeast asia",
    "sweetpotato",
    "web shell"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "legacy:malware:e62dbccb769103f2",
        "name": "SweetPotato",
        "slug": "sweetpotato"
      },
      {
        "id": "legacy:malware:486b4d9508f90a7a",
        "name": "Behinder",
        "slug": "behinder"
      },
      {
        "id": "legacy:malware:9de210b6e405b8e6",
        "name": "GodPotato",
        "slug": "godpotato"
      },
      {
        "id": "legacy:malware:b1242dbf49ac12aa",
        "name": "BadPotato",
        "slug": "badpotato"
      }
    ],
    "attack_patterns": [
      {
        "id": "beaa4978-0309-438b-a45e-ec566b643811",
        "name": "T1505.003"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "a2ba5594-6293-4868-928c-ab4b31927a02",
        "name": "T1572"
      },
      {
        "id": "6efb8bea-11d7-418d-a429-9f4a3e6c50f6",
        "name": "T1087"
      },
      {
        "id": "fc699aef-8931-4a79-8f79-9651be9abd50",
        "name": "T1021"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b",
        "name": "T1033"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3",
        "name": "T1090"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://securelist.com/soc-files-web-shell-chase/115714/",
    "https://otx.alienvault.com/pulse/67c1c883b5ef0fb158dcc35f"
  ]
}