This is my first write-up in the SOC Analyst Tier 1 series, starting with the WebStrike lab from CyberDefenders.
In this challenge, I analyzed a network capture (PCAP) to uncover how an attacker compromised a web server, uploaded a PHP webshell, and exfiltrated sensitive data.
This walkthrough covers my full investigation using Wireshark and tshark, along with actionable SOC detection tips.
Lab Objective
Analyze network traffic to investigate a web server compromise, identify a webshell deployment, and trace any data exfiltration.
Tools Used
- Wireshark – packet capture analysis
- tshark – command-line extraction and filtering
- file / xxd / strings – verify file headers & content
- NetworkMiner – optional, for automatic file extraction
Key Findings (IOCs)
| Indicator | Value | Description |
|---|---|---|
| Attacker IP | 117.11.88.124 |
Source of malicious traffic |
| Server IP | 24.49.63.79 |
Target web server |
| Uploaded File | image.jpg.php |
Disguised PHP webshell |
| Upload Path | /reviews/uploads/ |
Directory with write access |
| Callback Port | 8080 |
Used for reverse connection |
| User-Agent | Mozilla/5.0 (X11; Linux x86_64; rv:109.0) |
Fake Firefox client |
| Exfiltrated File | /etc/passwd |
Sensitive system file stolen |
Step-by-Step Investigation
1. Identify Active Endpoints
tshark -r WebStrike.pcap -q -z endpoints,ip
Two dominant IPs stand out:
117.11.88.124→ Attacker24.49.63.79→ Victim web server
2. Inspect HTTP Traffic
List all HTTP requests:
tshark -r WebStrike.pcap -Y http.request -T fields -e ip.src -e http.request.method -e http.request.uri
Look for suspicious POST requests — these often indicate file uploads.
3. Detect the Upload
Apply a filter in Wireshark:
http.request.method == "POST"
Within the payload, a file named image.jpg.php is uploaded to /reviews/uploads/.
4. Export Files from the Capture
tshark -r WebStrike.pcap --export-objects http,./extracted_files/
Then verify the file type:
file extracted_files/image.jpg.php
The content reveals executable PHP code, confirming it’s a webshell.
5. Trace Webshell Activity
Filter follow-up GET requests:
http.request.uri contains "image.jpg.php"
Responses show the webshell executing system commands — one response includes /etc/passwd, proving data exfiltration.
6. Confirm Reverse Connection
Inspect connections from the server to attacker on port 8080:
tcp.port == 8080 && ip.src == 24.49.63.79
This shows the reverse shell initiated successfully.
Attack Summary
- Attacker uploaded
image.jpg.phpto/reviews/uploads/. - The file executed remotely → PHP webshell activated.
- Reverse shell opened on port 8080.
/etc/passwdexfiltrated to attacker.
Detection & Response Checklist
- Search web logs for
image.jpg.phpor/uploads/references. - Review firewall/proxy logs for outbound connections to
117.11.88.124:8080. - Alert on POST uploads followed by immediate GET executions.
Suricata / Snort Example Rules
alert http any any -> any any (msg:"WebShell Upload Detected - image.jpg.php"; http_uri; content:"image.jpg.php"; nocase; sid:100001; rev:1;)
alert http any any -> any any (msg:"PHP Code Found in POST Upload"; flow:to_server,established; content:"<?php"; http_client_body; nocase; sid:100002; rev:1;)
SOC Tier 1 Takeaways
- Never rely on file extensions — validate uploads by MIME and magic bytes.
- Monitor for POST → GET sequences to the same filename.
- Unusual egress traffic to high ports (8080, 4444, etc.) should trigger alerts.
- Escalate immediately if sensitive files like
/etc/passwdappear in HTTP responses.
Conclusion
The WebStrike lab demonstrates a classic webshell attack chain:
Upload → Execute → Callback → Exfiltrate.
As a Tier 1 SOC Analyst, your goal is early detection — identify the suspicious upload, verify the callback, and escalate with evidence before more data leaves the network.
Next in this series: I’ll cover Oski, focusing on malware sandbox and threat intelligence correlation.