Artifact Analysis: Ivanti Webshells & File Trojanizing

Note

Executive Summary: After identifying suspicious activity in the Ivanti Application Logs, DFIR analysts must pivot to the file system to locate the malicious payloads. On Ivanti appliances (ICS and EPMM), Advanced Persistent Threats (APTs) heavily favor two techniques: dropping Webshells in accessible directories for remote control, and Trojanizing legitimate system scripts to silently harvest credentials. This guide outlines the methodology for hunting these artifacts offline on a mounted forensic image, and how to interpret the results of the Ivanti Integrity Checker Tool (ICT).

1. The Webshell Hunting Ground

Ivanti appliances expose numerous web services. Threat actors constantly hunt for writable directories mapped to the web root to drop their malicious scripts. Assuming the forensic image is mounted at /mnt/analysis/, analysts must target specific paths based on the appliance type.

A. ICS (Connect Secure) Target Paths

ICS heavily utilizes Perl (.pl, .cgi) and Python.

• /mnt/analysis/home/perl/hm/: Contains numerous legitimate CGI scripts. It is a classic hiding spot for Perl-based webshells.
• /mnt/analysis/data/var/www/: The web root for specific exposed services.
• /mnt/analysis/data/runtime/tmp/: Used for storing temporary files, but occasionally exposed or abused for payload staging.

B. EPMM (MobileIron) Target Paths

EPMM architecture closely resembles a traditional web stack (Apache/Tomcat).

• /mnt/analysis/var/www/html/: The standard Apache web root.
• /mnt/analysis/usr/local/mobileiron/: The core application directory where threat actors attempt to blend in.

2. The Art of “Trojanizing” (File Modification)

Instead of dropping a new, highly visible file, sophisticated APTs prefer to modify existing, legitimate system files. This is known as “Trojanizing”.

• The Objective: Credential Harvesting (intercepting passwords in cleartext) or maintaining stealthy persistence.
• The Target: Authentication handlers. Attackers target Perl (.pl, .pm) or Python (.py) scripts responsible for the login flow.
• Classic Example: During the exploitation of CVE-2023-46805, attackers were widely observed modifying the compcheck.py file to bypass authentication and execute arbitrary commands.

Detecting trojanized files with the naked eye is extremely difficult because the filename, permissions, and location appear entirely legitimate. This necessitates the use of cryptographic baseline comparisons.

3. The Ultimate Artifact: Integrity Checker Tool (ICT) Logs

Ivanti provides an internal utility called the Integrity Checker Tool (ICT). It scans the appliance and compares the SHA256 hashes of all system files against a vendor-provided cryptographic whitelist.

If a system snapshot or log collection was taken, analysts must immediately locate the ICT reports.

• Artifact Location: Usually found in /data/var/dlogs/ or /var/log/ with filenames like integrity_check.log, ICT_result, or within the snapshot archive.

Decoding the ICT Report

When parsing the ICT log, analysts must categorize the findings:

• Matched: The file is healthy and matches the official hash.
• New: The file exists on the disk but is not in the official whitelist. This is a high-probability Webshell.
• Modified / Mismatch: The file exists in the whitelist, but its hash has changed. The file has been Trojanized. This is a confirmed indicator of compromise.

Danger

Anti-Forensics Warning: Advanced attackers are well aware of the ICT. Before running their payloads, they may patch the ICT Python script itself to force it to ignore their malicious files, or they may simply delete the integrity_check.log after execution. If the ICT logs are missing or appear “too clean” despite network evidence of compromise, analysts must perform manual hash comparisons against known-good firmware baselines.

4. OS-Level Persistence (Beyond the Web)

If an attacker achieves root access via a web exploit, they will invariably attempt to establish OS-level persistence to survive firmware upgrades or web service restarts.

Analysts must pivot to standard Linux forensic techniques on the mounted image:

• Cron Jobs & Scheduled Tasks: Audit /var/spool/cron/ and /etc/cron*. Attackers frequently append single-line reverse shells (e.g., using bash -i or nc) to execute periodically.
• SSH Artifacts: Check /root/.ssh/authorized_keys. Appending a rogue SSH public key allows the attacker to bypass the web exploit entirely for future access.
• Legacy Persistence: Audit /etc/rc.local or systemd directories (/etc/systemd/system/) for malicious startup scripts.

5. DFIR Triage & Hunting Scripts

Instead of relying solely on antivirus signatures, DFIR analysts use native Linux commands on the mounted image to hunt for behavioral anomalies.

Bash (MAC Time & Content Hunt)

hunt_ivanti_webshells.sh

#!/bin/bash
TARGET_DIR="/mnt/analysis"
INCIDENT_DATE="2026-01-01"

echo "[+] Hunting for newly created or modified files (MAC Times)..."
find $TARGET_DIR/home/perl $TARGET_DIR/data/var/www -type f -newermt "$INCIDENT_DATE" -ls

echo "[+] Hunting for suspicious functions in Perl/Python files..."
# Looking for OS command execution or obfuscation functions
grep -rE "system\(|shell_exec|eval\(|base64_decode|popen\(" $TARGET_DIR/home/perl/

echo "[+] Hunting for anomalous file extensions..."
# A .php or .jsp file hiding inside a Perl CGI directory is highly suspicious
find $TARGET_DIR/home/perl/hm -type f \( -name "*.php" -o -name "*.jsp" \)

---

References & Further Reading

• CISA Advisories: Mitigating Cyber Threats with Known Exploited Vulnerabilities
• Related Ecosystem: Ivanti Architecture & Versioning
• Related Artifact: Ivanti Log Analysis & Parsing
• Related Artifact: Linux Cron Persistence
• Related Artifact: Linux SSH Artifacts