Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)
In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. China Chopper Web shell client).(Citation: Lee 2013)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-02 | Account Management | Protects | T1505.003 | Web Shell |
AC-03 | Access Enforcement | Protects | T1505.003 | Web Shell |
AC-05 | Separation of Duties | Protects | T1505.003 | Web Shell |
AC-06 | Least Privilege | Protects | T1505.003 | Web Shell |
CM-02 | Baseline Configuration | Protects | T1505.003 | Web Shell |
CM-06 | Configuration Settings | Protects | T1505.003 | Web Shell |
RA-05 | Vulnerability Monitoring and Scanning | Protects | T1505.003 | Web Shell |
SI-04 | System Monitoring | Protects | T1505.003 | Web Shell |