1. Home
  2. ATT&CK Techniques
  3. T1505.003 Web Shell

T1505.003 Web Shell

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)

In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. China Chopper Web shell client).(Citation: Lee 2013)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.AA-01.01 Identity and credential management Mitigates T1505.003 Web Shell
Comments
This diagnostic statement protects against Web Shell through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References

    NIST 800-53 Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    CM-06 Configuration Settings mitigates T1505.003 Web Shell
    RA-05 Vulnerability Monitoring and Scanning mitigates T1505.003 Web Shell
    CM-02 Baseline Configuration mitigates T1505.003 Web Shell
    SI-04 System Monitoring mitigates T1505.003 Web Shell
    AC-02 Account Management mitigates T1505.003 Web Shell
    AC-03 Access Enforcement mitigates T1505.003 Web Shell
    AC-05 Separation of Duties mitigates T1505.003 Web Shell
    AC-06 Least Privilege mitigates T1505.003 Web Shell

    VERIS Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1505.003 Web Shell
    action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1505.003 Web Shell

    Azure Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations technique_scores T1505.003 Web Shell
    Comments
    This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modifications to the file system in Kubernetes containers which can mitigate adversaries installing web shells. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
    References
    1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference-ai
    alerts_for_linux_machines Alerts for Linux Machines technique_scores T1505.003 Web Shell
    Comments
    This control may alert on usage of web shells. No documentation is provided on logic for this detection.
    References
    1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-linux

    GCP Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    cloud_ids Cloud IDS technique_scores T1505.003 Web Shell
    Comments
    Often used by adversaries to establish persistence, Palo Alto Network's threat signatures is able to detect programs that use an internet connection to provide remote access to a compromised internal system. Although there are multiple ways an attacker could establish unauthorized remote access to a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against variations of these cyber-attacks.
    References
    1. ['https://cloud.google.com/intrusion-detection-system'
    2. 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures']
    google_secops Google Security Operations technique_scores T1505.003 Web Shell
    Comments
    Google Security Ops triggers an alert based on webshell connections which are used to establish persistent access to a compromised machine [backdoor]. For example: Detect webshell dropped into a keystore folder on the WebLogic server (`.*/config/keystore/.*\.js.*). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/webserver/oracle_weblogic_exploit.yaral
    References
    1. ['https://cloud.google.com/security/products/security-operations'
    2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
    3. 'https://github.com/chronicle/detection-rules']
    security_command_center Security Command Center technique_scores T1505.003 Web Shell
    Comments
    SCC is able to detect attackers communicating with a compromised workload from a remote system (e.g., "web shell"). Because of the high threat detection coverage and near-real time temporal factor this control was graded as significant.
    References
    1. ['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview'
    2. 'https://github.com/GoogleCloudPlatform/security-analytics']