Article Excerpt
ShellSheep and it's suite of tools calculate the entropy of file contents to estimate the likelihood of a file being a webshell. High entropy indicates more randomness, which is a characteristic of encrypted or obfuscated codes often found in webshells.
property | value |
tags | defensive-tradecraft,github-repo,ioc-scanner,tradecraft-tool,webshell |
url | |
original_word_count | 653 |
Long Summary
ShellSweep is a tool designed to detect potential webshell files in a specified directory. It uses entropy, a measure of the unpredictability, randomness, or disorder in a set of data, to calculate the likelihood of a file being a webshell. Entropy is calculated by counting how often each character appears in the file and using these frequencies to calculate the probability of each character. High entropy indicates more randomness, which is a characteristic of encrypted or obfuscated codes often found in webshells.
ShellSweep only processes files with certain extensions (.asp, .aspx, .asph, .php, .jsp), which are commonly used in webshells. Certain directories can be excluded from scanning and files with certain hashes can be ignored during the scan.
ShellScan provides the ability to scan multiple known bad webshell directories and output the average, median, minimum and maximum entropy values by file extension. This gives a decent training set to get entropy values.
ShellCSV provides the ability to gather all files and entropy values to better understand what paths and extensions are most prominent in the working environment.
ShellSweep can be used in Python, PowerShell or Lua. Based on results from ShellScan or ShellCSV, entropy values, file extensions, paths and filters can be modified as needed. This allows defenders to iterate on tuning and find new shells.
Overall, ShellSweep is a useful tool for detecting potential webshells in a specified directory. It uses entropy to calculate the likelihood of a file being a webshell and provides the ability to scan multiple known bad webshell directories and output the average, median, minimum and maximum entropy values by file extension. It can be used in Python, PowerShell or Lua and allows defenders to iterate on tuning and find new shells.
Short Summary
š MHaggis/ShellSweep
šš½ ShellSheep and it's suite of tools calculate the entropy of file contents to estimate the likelihood of a file being a webshell. High entropy indicates more randomness, which is a characteristic of encrypted or obfuscated codes often found in webshells. šš½ ShellSweep detects potential webshell files in a specified directory.
šš½ It uses entropy to calculate the likelihood of a file being a webshell.
šš½ Entropy is calculated by counting how often each character appears in the file.
šš½ High entropy indicates more randomness, a characteristic of webshells.
šš½ ShellSweep only processes files with certain extensions commonly used in webshells.
šš½ Certain directories can be excluded from scanning and files with certain hashes ignored.
šš½ ShellScan outputs average, median, minimum and maximum entropy values by file extension.
šš½ ShellCSV gathers all files and entropy values to better understand prominent paths and extensions.
šš½ ShellSweep can be used in Python, PowerShell or Lua for tuning filters.
šš½ Overall, ShellSweep is a useful tool for detecting potential webshells in a directory.
š source link: https://github.com/MHaggis/ShellSweep
š summarized content: https://hut.threathunterz.com/battlefield-intel/tradecraft-tools/mhaggisshellsweep
#ShellSweep #webshells #entropy #scanning #Python
