Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: InfoSec Handlers Diary Blog - Scans Attempting to use PowerShell to Download PHP Script InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Scans Attempting to use PowerShell to Download PHP Script

Published: 2018-05-06
Last Updated: 2018-05-07 01:08:59 UTC
by Guy Bruneau (Version: 1)
4 comment(s)

A few days ago I started seeing in my honeypot traffic attempting to use PowerShell to download a php script as a test. The script might look like this.

Using Cyberchef, I decoder the base64 URL but the php script was no longer available.

Have you seen a similar query in your logs? We would be interested in getting a copy of the php script.You can use our contact page to submit a copy.

[1] https://isc.sans.edu/forums/diary/CyberChef+a+Must+Have+Tool+in+your+Tool+bag/22458/

[2] https://isc.sans.edu/forums/diary/WebLogic+Exploited+in+the+Wild+Again/23617/

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Keywords: PHP PowerShell Scans
4 comment(s)
Diary Archives