Web shells are commonly used in cyber-attacks and can have a variety of malicious purposes. They can also be difficult to detect. When one of the largest banks in the world received a notification from their Endpoint Detection and Response (EDR) solution indicating there was a possible web shell attack, it became a priority to determine if any systems were compromised. In order to maintain availability, the potentially compromised systems had to be analyzed quickly and thoroughly.
Four systems were identified as potentially compromised. All data stored on the systems had to be reviewed. While there are many forensic tools available, BlackLight was chosen for this analysis for its ability to process a number of large data sets. An index of all the data was created in a single BlackLight case file. Index searches were then performed to confirm no indicators of the specific compromise suspected were on any of the systems.
BlackLight made the entire process easy. All investigative activity was tagged, automatically building the incident report. The interface is intuitive, making the searching, filtering and pivoting extremely easy for the user. The results of the analysis provided compelling proof that there was no compromise.
BlackLight indexing and index search features were used to confirm no systems were compromised.
An Endpoint Detection and Response (EDR) solution indicated there was a possible web shell attack. BlackLight was used to quickly confirm no systems were compromised.
One of the largest banks in the world, used BlackLight to quickly analyze data on possibly compromised systems
A single BlackLight case file was used to process all systems suspected of compromise.