Technique on mitre.org

T1505.003: Web Shell

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.

In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. China Chopper Web shell client).

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

supply_chain: PT-CR-1934: SupplyChain_TeamCity_Plugin_Modify: A plugin was used. Attackers can manipulate TeamCity plugins to upload malicious code pt_application_firewall: PT-CR-1916: PTAF_Webshell_Detected: PT AF detected an attempt to upload a web shell to a web server mitre_attck_execution: PT-CR-651: Suspicious_Webscript: A user attempted to start an unknown script unix_mitre_attck_persistence: PT-CR-1027: Unix_Webshell_Created: A possible attempt to upload a web shell on a Unix web server mitre_attck_persistence: PT-CR-266: Windows_Webshell_Created: A potential attempt to deploy a web shell on a Windows web server is detected

Detection

ID	DS0009	Data source and component	Process: Process Creation	Description	Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is very similar to the following short payload: Nevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as spawning cmd.exe or accessing files that are not in the Web directory. A web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. As the shell operates, commands will be issued from within the web application into the broader server operating system. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment. Analytic 1 - Webshell-Indicative Process Tree (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (ParentImage="C:\Windows\System32\w3wp.exe" OR ParentImage="httpd.exe" OR ParentImage="tomcat.exe" OR ParentImage="nginx.exe") (Image="C:\Windows\System32\cmd.exe OR Image="C:\Windows\SysWOW64\cmd.exe" OR Image="C:\Windows\System32\\powershell.exe OR Image="C:\Windows\SysWOW64\\powershell.exe OR Image="C:\Windows\System32\net.exe" OR Image="C:\Windows\System32\hostname.exe" OR Image="C:\Windows\System32\whoami.exe" OR Image="systeminfo.exe OR Image="C:\Windows\System32\ipconfig.exe")

ID	DS0022	Data source and component	File: File Creation	Description	File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script.

ID	DS0015	Data source and component	Application Log: Application Log Content	Description	Monitor for third-party application logging, messaging, and/or other artifacts that may backdoor web servers with web shells to establish persistent access to systems. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network.

ID	DS0029	Data source and component	Network Traffic: Network Traffic Content	Description	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

ID	DS0029	Data source and component	Network Traffic: Network Traffic Flow	Description	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

ID	DS0022	Data source and component	File: File Modification	Description	Monitor for changes made to files that may backdoor web servers with web shells to establish persistent access to systems.

ID	Data source and component	Description
DS0009	Process: Process Creation	Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is very similar to the following short payload: Nevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as spawning cmd.exe or accessing files that are not in the Web directory. A web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. As the shell operates, commands will be issued from within the web application into the broader server operating system. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment. Analytic 1 - Webshell-Indicative Process Tree (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (ParentImage="C:\Windows\System32\w3wp.exe" OR ParentImage="httpd.exe" OR ParentImage="tomcat.exe" OR ParentImage="nginx.exe") (Image="C:\Windows\System32\cmd.exe OR Image="C:\Windows\SysWOW64\cmd.exe" OR Image="C:\Windows\System32\\powershell.exe OR Image="C:\Windows\SysWOW64\\powershell.exe OR Image="C:\Windows\System32\net.exe" OR Image="C:\Windows\System32\hostname.exe" OR Image="C:\Windows\System32\whoami.exe" OR Image="systeminfo.exe OR Image="C:\Windows\System32\ipconfig.exe")
DS0022	File: File Creation	File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script.
DS0015	Application Log: Application Log Content	Monitor for third-party application logging, messaging, and/or other artifacts that may backdoor web servers with web shells to establish persistent access to systems. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network.
DS0029	Network Traffic: Network Traffic Content	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
DS0029	Network Traffic: Network Traffic Flow	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
DS0022	File: File Modification	Monitor for changes made to files that may backdoor web servers with web shells to establish persistent access to systems.

Mitigation

ID	M1042	Name	Disable or Remove Feature or Program	Description	Consider disabling functions from web technologies such as PHP’s `evaI()` that may be abused for web shells.

ID	M1018	Name	User Account Management	Description	Enforce the principle of least privilege by limiting privileges of user accounts so only authorized accounts can modify the web directory.

ID	Name	Description
M1042	Disable or Remove Feature or Program	Consider disabling functions from web technologies such as PHP’s `evaI()` that may be abused for web shells.
M1018	User Account Management	Enforce the principle of least privilege by limiting privileges of user accounts so only authorized accounts can modify the web directory.