T1505.003: Web Shell
| View on MITRE ATT&CK | T1505.003 |
|---|---|
| Tactic(s) | Persistence |
| Associated CAPEC Patterns | Upload a Web Shell to a Web Server (CAPEC-650) |
Data from MITRE ATT&CK®:
Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)
In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. China Chopper Web shell client).(Citation: Lee 2013)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Reporting from Mandiant which discusses the exploitation of Pulse Secure VPN devices in 2021 and 12 malware families associated with the campaign. ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
APT41 Has Arisen From the DUST
This report from Mandiant outlines APT41 activity observed since 2023 including successful compromises of logistic, media, technology and ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
This report from Recorded Future's Insikt Group outlines activity by the Red Hotel intrusion set. RedHotel is identified as a prominent Chinese ...
People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
This advisory from the US National Security Agency, CISA and various other agencies outlines tactics, techniques and procedures used by Volt ...
Mitigations for this technique
MITRE ATT&CK Mitigations
How to detect this technique
MITRE ATT&CK Data Components
File Creation (File)
Initial construction of a new file (ex: Sysmon EID 11)Network Traffic Content (Network Traffic)
Logged network traffic data showing both protocol header and body values (ex: PCAP)Application Log Content (Application Log)
Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)File Modification (File)
Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Network Traffic Flow (Network Traffic)
Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Sigma Detections for this Technique
Shellshock Expression
Certificate Request Export to Exchange Webserver
Webshell Remote Command Execution
Exchange Set OabVirtualDirectory ExternalUrl Property
Windows Webshell Strings
Linux Webshell Indicators
Suspicious ASPX File Drop by Exchange
Antivirus Web Shell Detection
Suspicious File Drop by Exchange
Suspicious Child Process Of SQL Server
Webshell Detection With Command Line Keywords
Webshell Tool Reconnaissance Activity
Potential Webshell Creation On Static Website
Chopper Webshell Process Pattern
Suspicious MSExchangeMailboxReplication ASPX Write
Mailbox Export to Exchange Webserver
Suspicious Windows Strings In URI
Webshell ReGeorg Detection Via Web Logs
Webshell Hacking Activity Patterns
IIS Native-Code Module Command Line Installation
Suspicious Process By Web Server Process
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.