Detecting a Shellshock attack

ThreatLockDown is capable of detecting a Shellshock attack by analyzing web server logs collected from a monitored endpoint. In this use case, you set up an Apache web server on the Ubuntu endpoint and simulate a shellshock attack.

Infrastructure

Endpoint

Description

Ubuntu 22.04

Victim endpoint running an Apache 2.4.54 web server.

RHEL 9.0

This attacker endpoint sends a malicious HTTP request to the victim’s web server.

Configuration

Ubuntu endpoint

Perform the following steps to install an Apache web server and monitor its logs with the ThreatLockDown agent.

  1. Update local packages and install the Apache web server:

    $ sudo apt update
    $ sudo apt install apache2
    
  2. If a firewall is enabled, modify it to allow external access to web ports. Skip this step if the firewall is disabled:

    $ sudo ufw app list
    $ sudo ufw allow 'Apache'
    $ sudo ufw status
    
  3. Check that the Apache web server is running:

    $ sudo systemctl status apache2
    
  4. Add the following lines to the ThreatLockDown agent /var/ossec/etc/ossec.conf configuration file. This sets the ThreatLockDown agent to monitor the access logs of your Apache server:

    <localfile>
        <log_format>syslog</log_format>
        <location>/var/log/apache2/access.log</location>
    </localfile>
    
  5. Restart the ThreatLockDown agent to apply the configuration changes:

    $ sudo systemctl restart wazuh-agent
    

Attack emulation

  1. Replace <WEBSERVER_IP> with the Ubuntu IP address and execute the following command from the attacker endpoint:

    $ sudo curl -H "User-Agent: () { :; }; /bin/cat /etc/passwd" <WEBSERVER-IP>
    

Visualize the alerts

You can visualize the alert data in the ThreatLockDown dashboard. To do this, go to the Threat Hunting module and add the filters in the search bar to query the alerts.

  • rule.description:Shellshock attack detected

  • If you have Suricata monitoring the endpoint traffic, you can also query rule.description:*CVE-2014-6271* for the related Suricata alerts.