Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.
In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: China Chopper Web shell client).(Citation: Lee 2013)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CVE-2020-3240 | Cisco UCS Director | primary_impact | T1505.003 | Web Shell | |
CVE-2020-15189 | soycms | primary_impact | T1505.003 | Web Shell | |
CVE-2020-11010 | tortoise-orm | secondary_impact | T1505.003 | Web Shell | |
CVE-2020-5297 | october | primary_impact | T1505.003 | Web Shell | |
CVE-2020-12029 | FactoryTalk View SE | primary_impact | T1505.003 | Web Shell | |
CVE-2019-18234 | Equinox Control Expert | secondary_impact | T1505.003 | Web Shell | |
CVE-2012-6498 | n/a | uncategorized | T1505.003 | Web Shell | |
CVE-2018-2894 | WebLogic Server | uncategorized | T1505.003 | Web Shell | |
CVE-2012-6081 | n/a | uncategorized | T1505.003 | Web Shell | |
CVE-2011-4106 | n/a | uncategorized | T1505.003 | Web Shell | |
CVE-2018-15961 | ColdFusion | uncategorized | T1505.003 | Web Shell | |
CVE-2016-3088 | n/a | uncategorized | T1505.003 | Web Shell | |
CVE-2013-5576 | n/a | uncategorized | T1505.003 | Web Shell |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.hacking.variety.Use of backdoor or C2 | Use of Backdoor or C2 channel | related-to | T1505.003 | Server Software Component: Web Shell | |
action.hacking.vector.Backdoor or C2 | Backdoor or command and control channel | related-to | T1505.003 | Server Software Component: Web Shell | |
action.malware.variety.Backdoor | Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' | related-to | T1505.003 | Server Software Component: Web Shell |