This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP AppSec DC 2012/Old Webshells New Tricks How Persistent Threats haverevived an old idea and how you can detect them

Jump to: navigation, search


Registration Now OPEN! | Hotel | Schedule | Convention Center |

The Presentation

Web shells _ malicious scripts that provide an attacker with the ability to upload files, execute commands, conduct reconnaissance, and perform other command-and-control activities on a compromised web server _ are nothing new. They've been in the wild ever since the first web server and application exploits reared their ugly heads over a decade ago. Modern application security and server hardening processes have rendered them all but obsolete tools for desperate script-kiddies, right? Wrong. In this presentation we will discuss how web-based backdoors continue to be leveraged by sophisticated, targeted attackers and the challenges that they pose to forensic analysts conducting large-scale investigations. In particular, we will focus on the usage of web shells as a post-exploitation mechanism for maintaining persistence in an environment _ a backup method of remote access _ rather than a tool utilized in the initial entry vector. We will focus on the forensic artifacts that usage of such malware leaves behind on the host and on the network, and discuss techniques for rapidly identifying unknown web-based malware across servers.

The Speakers

Ryan Kazanciyan

Ryan Kazanciyan is a Principal Consultant with Mandiant and has ten years of experience specializing in incident response, forensic analysis, penetration testing, and web application security. He has spent the past four years leading investigation and remediation efforts for highly-targeted attacks affecting organizations in the defense, technology, utilities, government, and financial services sectors. Mr. Kazanciyan has experience with analysis of host and network-based indicators of compromise, disk and memory forensics, and malware identification and triage. He also has an extensive background managing and executing large penetration testing and application security assessments.

Mr. Kazanciyan has leveraged his consulting experience to lead training sessions for a variety of audiences in law enforcement, the federal government, and corporate security groups. He has taught courses on incident response, forensic analysis, penetration testing, and web application security. He has also presented at industry and security conferences including Black Hat, DoD CyberCrime, ShmooCon, Infragard, and ISACA.

Gold Sponsors

Aspect logo owasp.jpg AppSecDC2009-Sponsor-securicon.gif AppSecDC2009-Sponsor-mandiant.gif AppSecDC2012-ISC2.gif

Silver Sponsors


Small Business

AppSecDC2012-Sponsor-sideas.gif BayShoreNetworks.png


link= Codenomicon WhiteHat Logo.png AppSecDC2012-HP.jpg WSI - Logo.jpg