Web Shell

Information

• Name: Web Shell

• ID: T1505.003

• Tactics: TA0003

• Technique: T1505

Introduction

Web Shell (T1505.003) is a sub-technique within the MITRE ATT&CK framework categorized under Server Software Component (T1505). Attackers place web shells—scripts or programs—onto compromised web servers to maintain persistent access, execute arbitrary commands, and facilitate further attacks. Web shells typically leverage web-based scripting languages such as PHP, ASP, JSP, or JavaScript to provide attackers with a command interface accessible through HTTP/HTTPS requests.

Deep Dive Into Technique

Web shells are malicious scripts or programs uploaded to vulnerable web servers, allowing attackers to execute commands remotely via HTTP(S). They typically operate within the context of the web service user, inheriting its privileges and permissions. Common scripting languages used for web shells include:

• PHP

• ASP/ASP.NET

• JSP/Java

• JavaScript

• Python

• Perl

Attackers usually deploy web shells through several methods:

• Exploiting vulnerabilities in web applications (e.g., file upload vulnerabilities, Remote Code Execution (RCE) vulnerabilities)

• Gaining administrative credentials and uploading files directly

• Exploiting misconfigured or insecure file permissions on web servers

• Leveraging server-side template injection (SSTI) vulnerabilities

• Exploiting CMS (Content Management Systems) vulnerabilities (e.g., WordPress, Joomla, Drupal)

Once deployed, web shells can provide attackers with:

• Persistent remote access

• Command execution capabilities

• File upload/download and modification functionality

• Privilege escalation opportunities

• Network reconnaissance and pivoting capabilities

• Data exfiltration channels

Attackers often obfuscate web shells to evade detection by:

• Encoding scripts (base64, hex encoding)

• Using custom encryption or obfuscation techniques

• Embedding web shells within legitimate files or hidden directories

• Employing minimalistic, single-line scripts to evade signature-based detection

When this Technique is Usually Used

Attackers commonly deploy web shells during various stages of an attack lifecycle, including:

• Initial Access and Exploitation Stage:

  • Exploiting vulnerabilities in web applications or CMS platforms to upload web shells.

  • Leveraging file upload or RCE vulnerabilities to implant web shells.

• Persistence Stage:

  • Maintaining persistent, stealthy access to compromised web servers.

  • Ensuring continued access even after initial vulnerabilities are patched.

• Privilege Escalation and Lateral Movement Stage:

  • Using web shells to escalate privileges by exploiting local vulnerabilities or misconfigurations.

  • Pivoting to internal networks and other systems from compromised web servers.

• Exfiltration and Command and Control (C2) Stage:

  • Leveraging web shells as a covert channel for data exfiltration.

  • Establishing a hidden Command & Control channel to issue commands and manage compromised systems.

How this Technique is Usually Detected

Detection of web shells can be achieved through various methods and security tools, including:

• File Integrity Monitoring (FIM):

  • Monitoring for unauthorized changes to web directories and files.

• Web Application Firewalls (WAF):

  • Detecting and blocking suspicious HTTP requests and anomalous traffic patterns.

• Endpoint Detection and Response (EDR):

  • Identifying anomalous behaviors and suspicious file creations or modifications.

• Network Traffic Analysis:

  • Monitoring unusual outbound HTTP(S) traffic and detecting anomalous traffic patterns indicative of web shell interactions.

• Log Analysis and SIEM Solutions:

  • Analyzing web server logs for suspicious requests (e.g., unusual URLs, encoded parameters, abnormal POST requests).

  • Identifying unusual access patterns and IP addresses accessing uncommon URLs or scripts.

• Behavioral Analysis and Threat Hunting:

  • Regularly inspecting web directories for suspicious scripts or files.

  • Searching for indicators such as unexpected file extensions (.php, .jsp, .asp), encoded scripts, or anomalies in web application behavior.

• Indicators of Compromise (IoCs):

  • Suspicious file names or extensions (e.g., shell.php, cmd.jsp, cmd.aspx).

  • Unusual file timestamps or permissions.

  • Encoded or obfuscated scripts within web directories.

  • Unusual HTTP request parameters (e.g., cmd, exec, eval).

  • Known malicious IP addresses accessing web servers.

Why it is Important to Detect This Technique

Early detection of web shells is critical due to their significant security implications, including:

• Persistent Unauthorized Access:

  • Attackers can maintain long-term, stealthy access to compromised servers.

• Data Exfiltration Risks:

  • Sensitive data, such as customer information, intellectual property, or confidential business data, can be stolen.

• Privilege Escalation and Lateral Movement:

  • Web shells may enable attackers to escalate privileges, access internal networks, and compromise additional systems.

• Reputational Damage:

  • Undetected web shells can lead to significant reputational harm, loss of customer trust, and potential regulatory penalties.

• Operational Disruption:

  • Attackers using web shells may disrupt critical web services or cause downtime.

• Compliance and Regulatory Implications:

  • Compromised web servers may violate compliance regulations such as GDPR, HIPAA, or PCI DSS, leading to legal consequences.

Examples

Real-world examples of web shell attacks include:

• China Chopper Web Shell:

  • Minimalistic ASPX/PHP web shell widely used by advanced persistent threat (APT) groups.

  • Provides attackers with file management and command execution capabilities.

  • Used extensively by threat actors targeting government and enterprise organizations.

• C99 PHP Web Shell:

  • Popular PHP-based web shell with extensive capabilities, including file management, command execution, and database interaction.

  • Frequently used in attacks targeting vulnerable web applications and CMS platforms.

• Operation Cloud Hopper (APT10):

  • APT10 leveraged web shells extensively to maintain persistent access to compromised Managed Service Providers (MSPs) and cloud environments.

  • Attackers used web shells to move laterally, escalate privileges, and steal sensitive intellectual property.

• Magecart Attacks:

  • Attackers deployed web shells on compromised e-commerce websites to maintain persistent access, inject malicious JavaScript code, and steal customer payment card data.

• Exchange Server Attacks (ProxyLogon and ProxyShell):

  • Attackers exploited vulnerabilities in Microsoft Exchange servers (CVE-2021-26855, CVE-2021-34473) to deploy web shells for persistent access and lateral movement.

  • Web shells allowed threat actors to maintain access even after initial vulnerabilities were patched.

In these scenarios, attackers typically leveraged web shells for persistent access, data exfiltration, lateral movement, and privilege escalation, causing significant impacts to affected organizations in terms of financial loss, reputational damage, and regulatory consequences.