Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)
In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. China Chopper Web shell client).(Citation: Lee 2013)
Platforms
Mitigations (2)
Disable or Remove Feature or ProgramM1042
Consider disabling functions from web technologies such as PHP’s evaI() that may be abused for web shells.(Citation: ITSyndicate Disabling PHP functions)
User Account ManagementM1018
Enforce the principle of least privilege by limiting privileges of user accounts so only authorized accounts can modify the web directory.(Citation: NSA and ASD Detect and Prevent Web Shells 2020)
Threat Groups (31)
| ID | Group | Context |
|---|---|---|
| G1012 | CURIUM | [CURIUM](https://attack.mitre.org/groups/G1012) has been linked to web shells following likely server compromise as an initial access vector into vict... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has commonly created Web shells on victims' publicly accessible email and web servers, which they u... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used web shells, often to maintain access to a victim network.(Citation: Unit42 OilRig Playbook 20... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has utilized obfuscated and open-source web shells such as JspSpy, reGeorg, MiniWebCmdShell, and Vonloe... |
| G0135 | BackdoorDiplomacy | [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has used web shells to establish an initial foothold and for lateral movement within a vict... |
| G1030 | Agrius | [Agrius](https://attack.mitre.org/groups/G1030) typically deploys a variant of the [ASPXSpy](https://attack.mitre.org/software/S0073) web shell follow... |
| G0009 | Deep Panda | [Deep Panda](https://attack.mitre.org/groups/G0009) uses Web shells on publicly accessible Web servers to access victim networks.(Citation: CrowdStrik... |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has installed ANTAK and ASPXSPY web shells.(Citation: FireEye APT39 Jan 2019) |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used [China Chopper](https://attack.mitre.org/software/S0020) web shells to maintain access... |
| G0123 | Volatile Cedar | [Volatile Cedar](https://attack.mitre.org/groups/G0123) can inject web shell code into a server.(Citation: CheckPoint Volatile Cedar March 2015)(Citat... |
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used Web shells to persist in victim environments and assist in execution and exfiltration.(Citation:... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has used a variety of Web shells.(Citation: Unit42 Emissary Panda May 2019) |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has started a web service in the target host and wait for the adversary to connect, acting as ... |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) deploys web shells following initial access for either follow-on command execution or protocol tun... |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has deployed multiple web shells on compromised servers including SIMPLESEESHARP, SPORTSBALL, [China ... |
| G1009 | Moses Staff | [Moses Staff](https://attack.mitre.org/groups/G1009) has dropped a web shell onto a compromised system.(Citation: Checkpoint MosesStaff Nov 2021) |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used webshells including [P.A.S. Webshell](https://attack.mitre.org/software/S0598) to main... |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has installed web shells on compromised hosts to maintain access.(Citation: CISA AA20-259A Iran-Ba... |
| G0131 | Tonto Team | [Tonto Team](https://attack.mitre.org/groups/G0131) has used a first stage web shell after compromising a vulnerable Exchange server.(Citation: ESET E... |
Associated Software (22)
| ID | Name | Type | Context |
|---|---|---|---|
| S0598 | P.A.S. Webshell | Malware | [P.A.S. Webshell](https://attack.mitre.org/software/S0598) can gain remote access and execution on target web servers.(Citation: ANSSI Sandworm Januar... |
| S0072 | OwaAuth | Malware | [OwaAuth](https://attack.mitre.org/software/S0072) is a Web shell that appears to be exclusively used by [Threat Group-3390](https://attack.mitre.org/... |
| S9028 | PHPsert | Malware | [PHPsert](https://attack.mitre.org/software/S9028) can use the .php assert function to execute attacker-provided code and maintain persistence on targ... |
| S1115 | WIREFIRE | Malware | [WIREFIRE](https://attack.mitre.org/software/S1115) is a web shell that can download files to and execute arbitrary commands from compromised Ivanti C... |
| S9024 | SPAWNCHIMERA | Malware | [SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has created web shells that facilitate actions on the victim host.(Citation: CISA SPAWNCHIMERA... |
| S1118 | BUSHWALK | Malware | [BUSHWALK](https://attack.mitre.org/software/S1118) is a web shell that has the ability to execute arbitrary commands or write files.(Citation: Mandia... |
| S1110 | SLIGHTPULSE | Malware | [SLIGHTPULSE](https://attack.mitre.org/software/S1110) is a web shell that can read, write, and execute files on compromised servers.(Citation: Mandia... |
| S1119 | LIGHTWIRE | Malware | [LIGHTWIRE](https://attack.mitre.org/software/S1119) is a web shell capable of command execution and establishing persistence on compromised Ivanti Se... |
| S1112 | STEADYPULSE | Malware | [STEADYPULSE](https://attack.mitre.org/software/S1112) is a web shell that can enable the execution of arbitrary commands on compromised web servers.(... |
| S0073 | ASPXSpy | Malware | [ASPXSpy](https://attack.mitre.org/software/S0073) is a Web shell. The ASPXTool version used by [Threat Group-3390](https://attack.mitre.org/groups/G0... |
| S1108 | PULSECHECK | Malware | [PULSECHECK](https://attack.mitre.org/software/S1108) is a web shell that can enable command execution on compromised servers.(Citation: Mandiant Puls... |
| S1189 | Neo-reGeorg | Malware | [Neo-reGeorg](https://attack.mitre.org/software/S1189) can be installed on compromised web servers to tunnel C2 connections.(Citation: GitHub Neo-reGe... |
| S9014 | PHASEJAM | Malware | [PHASEJAM](https://attack.mitre.org/software/S9014) has inserted Perl-based web shells into legitimate files that provided threat actors with remote a... |
| S1120 | FRAMESTING | Malware | [FRAMESTING](https://attack.mitre.org/software/S1120) is a web shell capable of enabling arbitrary command execution on compromised Ivanti Connect Sec... |
| S1113 | RAPIDPULSE | Malware | [RAPIDPULSE](https://attack.mitre.org/software/S1113) is a web shell that is capable of arbitrary file read on targeted web servers to exfiltrate item... |
| S1188 | Line Runner | Malware | [Line Runner](https://attack.mitre.org/software/S1188) is a persistent Lua-based web shell.(Citation: CCCS ArcaneDoor 2024) |
| S0578 | SUPERNOVA | Malware | [SUPERNOVA](https://attack.mitre.org/software/S0578) is a Web shell.(Citation: Unit42 SUPERNOVA Dec 2020)(Citation: Guidepoint SUPERNOVA Dec 2020)(Cit... |
| S1163 | SnappyTCP | Malware | [SnappyTCP](https://attack.mitre.org/software/S1163) is a reverse TCP shell with command and control capabilities used for persistence purposes.(Citat... |
| S0185 | SEASHARPEE | Malware | [SEASHARPEE](https://attack.mitre.org/software/S0185) is a Web shell.(Citation: FireEye APT34 Webinar Dec 2017) |
| S0020 | China Chopper | Malware | [China Chopper](https://attack.mitre.org/software/S0020)'s server component is a Web Shell payload.(Citation: Lee 2013) |
Related CWE Weaknesses
References
- NSA Cybersecurity Directorate. (n.d.). Mitigating Web Shells. Retrieved July 22, 2021.
- Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022.
- Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
- US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.
Frequently Asked Questions
What is T1505.003 (Web Shell)?
T1505.003 is a MITRE ATT&CK technique named 'Web Shell'. It belongs to the Persistence tactic(s). Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to a...
How can T1505.003 be detected?
Detection of T1505.003 (Web Shell) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1505.003?
There are 2 documented mitigations for T1505.003. Key mitigations include: Disable or Remove Feature or Program, User Account Management.
Which threat groups use T1505.003?
Known threat groups using T1505.003 include: CURIUM, Dragonfly, APT28, OilRig, FIN13, BackdoorDiplomacy, Agrius, Deep Panda.