1. Home
  2. ATT&CK Techniques
  3. T1505.003 Web Shell

T1505.003 Web Shell

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.

In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: China Chopper Web shell client).(Citation: Lee 2013)

View in MITRE ATT&CK®

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
cloud_ids Cloud IDS technique_scores T1505.003 Web Shell
Comments
Often used by adversaries to establish persistence, Palo Alto Network's threat signatures is able to detect programs that use an internet connection to provide remote access to a compromised internal system. Although there are multiple ways an attacker could establish unauthorized remote access to a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against variations of these cyber-attacks.
References
  1. https://cloud.google.com/intrusion-detection-system
  2. https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures
chronicle Chronicle technique_scores T1505.003 Web Shell
Comments
Chronicle triggers an alert based on webshell connections which are used to establish persistent access to a compromised machine [backdoor]. For example: Detect webshell dropped into a keystore folder on the WebLogic server (`.*/config/keystore/.*\.js.*). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/webserver/oracle_weblogic_exploit.yaral
References
  1. https://cloud.google.com/chronicle/docs/overview
  2. https://github.com/chronicle/detection-rules
security_command_center Security Command Center technique_scores T1505.003 Web Shell
Comments
SCC is able to detect attackers communicating with a compromised workload from a remote system (e.g., "web shell"). Because of the high threat detection coverage and near-real time temporal factor this control was graded as significant.
References
  1. https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview
  2. https://github.com/GoogleCloudPlatform/security-analytics