Time to review everything that’s exposed to the internet…:
The list of preventive measures that should prevent web shell attacks include:
- Identify and remediate vulnerabilities or misconfigurations in web applications and web servers. Use Threat and Vulnerability Management to discover and fix these weaknesses. Deploy the latest security updates as soon as they become available.
- Implement proper segmentation of your perimeter network, such that a compromised web server does not lead to the compromise of the enterprise network.
- Enable antivirus protection on web servers. Turn on cloud-delivered protection to get the latest defenses against new and emerging threats. Users should only be able to upload files in directories that can be scanned by antivirus and configured to not allow server-side scripting or execution.
- Audit and review logs from web servers frequently. Be aware of all systems you expose directly to the internet.
- Utilize the Windows Defender Firewall, intrusion prevention devices, and your network firewall to prevent command-and-control server communication among endpoints whenever possible, limiting lateral movement, as well as other attack activities.
- Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.
- Practice good credential hygiene. Limit the use of accounts with local or domain admin level privileges.