Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)
In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. China Chopper Web shell client).(Citation: Lee 2013)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1505.003 | Web Shell |
| AC-3 | Access Enforcement | Protects | T1505.003 | Web Shell |
| AC-5 | Separation of Duties | Protects | T1505.003 | Web Shell |
| AC-6 | Least Privilege | Protects | T1505.003 | Web Shell |
| CM-2 | Baseline Configuration | Protects | T1505.003 | Web Shell |
| CM-6 | Configuration Settings | Protects | T1505.003 | Web Shell |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1505.003 | Web Shell |
| SI-4 | System Monitoring | Protects | T1505.003 | Web Shell |
| action.malware.variety.Backdoor | Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. | related-to | T1505.003 | Server Software Component: Web Shell |
| action.malware.variety.Backdoor or C2 | Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. | related-to | T1505.003 | Server Software Component: Web Shell |