A forensic analyst is investigating a webshell on an IIS server. The access.log shows: 10.0.0.5, -, 12/Mar/2023:14:22:10 +0000, POST /uploads/cmd.aspx, 200, 0, 1234. Which log entry is most indicative of webshell activity?
The name 'cmd.aspx' suggests command execution, and the uploads directory is a common webshell location.
Why this answer
A POST request to an ASPX file in an uploads directory returning 200 with a small response size and user-agent is suspicious.