T1505.003 Web Shell Mappings

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.

In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: China Chopper Web shell client).(Citation: Lee 2013)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CVE-2020-3240 Cisco UCS Director primary_impact T1505.003 Web Shell
CVE-2020-15189 soycms primary_impact T1505.003 Web Shell
CVE-2020-11010 tortoise-orm secondary_impact T1505.003 Web Shell
CVE-2020-5297 october primary_impact T1505.003 Web Shell
CVE-2020-12029 FactoryTalk View SE primary_impact T1505.003 Web Shell
CVE-2019-18234 Equinox Control Expert secondary_impact T1505.003 Web Shell
CVE-2012-6498 n/a uncategorized T1505.003 Web Shell
CVE-2018-2894 WebLogic Server uncategorized T1505.003 Web Shell
CVE-2012-6081 n/a uncategorized T1505.003 Web Shell
CVE-2011-4106 n/a uncategorized T1505.003 Web Shell
CVE-2018-15961 ColdFusion uncategorized T1505.003 Web Shell
CVE-2016-3088 n/a uncategorized T1505.003 Web Shell
CVE-2013-5576 n/a uncategorized T1505.003 Web Shell
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1505.003 Server Software Component: Web Shell
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1505.003 Server Software Component: Web Shell
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1505.003 Server Software Component: Web Shell