Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.
In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: China Chopper Web shell client).(Citation: Lee 2013)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
cloud_ids | Cloud IDS | technique_scores | T1505.003 | Web Shell |
Comments
Often used by adversaries to establish persistence, Palo Alto Network's threat signatures is able to detect programs that use an internet connection to provide remote access to a compromised internal system.
Although there are multiple ways an attacker could establish unauthorized remote access to a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against variations of these cyber-attacks.
References
|
chronicle | Chronicle | technique_scores | T1505.003 | Web Shell |
Comments
Chronicle triggers an alert based on webshell connections which are used to establish persistent access to a compromised machine [backdoor].
For example: Detect webshell dropped into a keystore folder on the WebLogic server (`.*/config/keystore/.*\.js.*).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/webserver/oracle_weblogic_exploit.yaral
References
|
security_command_center | Security Command Center | technique_scores | T1505.003 | Web Shell |
Comments
SCC is able to detect attackers communicating with a compromised workload from a remote system (e.g., "web shell"). Because of the high threat detection coverage and near-real time temporal factor this control was graded as significant.
References
|