Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.
In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: China Chopper Web shell client).(Citation: Lee 2013)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_security_center_recommendations | Azure Security Center Recommendations | technique_scores | T1505.003 | Web Shell |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modifications to the file system in Kubernetes containers which can mitigate adversaries installing web shells. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
| linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | technique_scores | T1505.003 | Web Shell |
Comments
This control may alert on usage of web shells. No documentation is provided on logic for this detection.
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1505.003 | Web Shell |
Comments
The Azure Sentinel Hunting "Web shell command alert enrichment", "Web shell Detection", and "Web shell file alert enrichment" queries can identify potentially malicious activity via web shell.
References
|