Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)
In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. China Chopper Web shell client).(Citation: Lee 2013)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AIS-05 | Automated Application Security Testing | mitigates | T1505.003 | Web Shell |
Comments
The control outlines several testing approaches, including the use of automated tools, to identify and remediate vulnerabilities or weaknesses that can be exploited. Web shells provide attackers with unauthorized and persistent remote control over a compromised web server, allowing them to execute commands, manipulate files, and steal data. A web application is compromised when an attacker exploits a vulnerability to upload a malicious script, which then acts as a backdoor for ongoing malicious activity. Remediating the vulnerabilities that allow an attacker to upload a web shell can help mitigate this technique.
References
|