T1505.003 Web Shell
Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.
In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: China Chopper Web shell client).1
Item | Value |
---|---|
ID | T1505.003 |
Sub-techniques | T1505.001, T1505.002, T1505.003, T1505.004, T1505.005 |
Tactics | TA0003 |
CAPEC ID | CAPEC-650 |
Platforms | Linux, Windows, macOS |
Permissions required | SYSTEM, User |
Version | 1.2 |
Created | 13 December 2019 |
Last Modified | 26 July 2021 |
Procedure Examples
ID | Name | Description |
---|---|---|
G0007 | APT28 | APT28 has used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target’s Outlook Web Access (OWA) server.30 |
G0016 | APT29 | APT29 has installed web shells on exploited Microsoft Exchange servers.28 |
G0050 | APT32 | APT32 has used Web shells to maintain access to victim websites.13 |
G0082 | APT38 | APT38 has used web shells for persistence or to ensure redundant access.21 |
G0087 | APT39 | APT39 has installed ANTAK and ASPXSPY web shells.34 |
S0073 | ASPXSpy | ASPXSpy is a Web shell. The ASPXTool version used by Threat Group-3390 has been deployed to accessible servers running Internet Information Services (IIS).9 |
G0135 | BackdoorDiplomacy | BackdoorDiplomacy has used web shells to establish an initial foothold and for lateral movement within a victim’s system.36 |
S0020 | China Chopper | China Chopper‘s server component is a Web Shell payload.1 |
G0009 | Deep Panda | Deep Panda uses Web shells on publicly accessible Web servers to access victim networks.35 |
G0035 | Dragonfly | Dragonfly has commonly created Web shells on victims’ publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files.31 |
G0117 | Fox Kitten | Fox Kitten has installed web shells on compromised hosts to maintain access.3738 |
G0093 | GALLIUM | GALLIUM used Web shells to persist in victim environments and assist in execution and exfiltration.3233 |
G0125 | HAFNIUM | HAFNIUM has deployed multiple web shells on compromised servers including SIMPLESEESHARP, SPORTSBALL, China Chopper, and ASPXSpy.141516 |
G0094 | Kimsuky | Kimsuky has used modified versions of open source PHP web shells to maintain access, often adding “Dinosaur” references within the code.26 |
G0065 | Leviathan | Leviathan relies on web shells for an initial foothold as well as persistence into the victim’s systems.1819 |
G0049 | OilRig | OilRig has used web shells, often to maintain access to a victim network.241025 |
G0116 | Operation Wocao | Operation Wocao has used their own web shells, as well as those previously placed on target systems by other threat actors, for reconnaissance and lateral movement.12 |
S0072 | OwaAuth | OwaAuth is a Web shell that appears to be exclusively used by Threat Group-3390. It is installed as an ISAPI filter on Exchange servers and shares characteristics with the China Chopper Web shell.9 |
S0598 | P.A.S. Webshell | P.A.S. Webshell can gain remote access and execution on target web servers.11 |
G0034 | Sandworm Team | Sandworm Team has used webshells including P.A.S. Webshell to maintain access to victim networks.11 |
S0185 | SEASHARPEE | SEASHARPEE is a Web shell.10 |
S0578 | SUPERNOVA | SUPERNOVA is a Web shell.678 |
G0088 | TEMP.Veles | TEMP.Veles has planted Web shells on Outlook Exchange servers.29 |
G0027 | Threat Group-3390 | Threat Group-3390 has used a variety of Web shells.20 |
G0131 | Tonto Team | Tonto Team has used a first stage web shell after compromising a vulnerable Exchange server.27 |
G0081 | Tropic Trooper | Tropic Trooper has started a web service in the target host and wait for the adversary to connect, acting as a web shell.17 |
G0123 | Volatile Cedar | Volatile Cedar can inject web shell code into a server.2223 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1042 | Disable or Remove Feature or Program | Consider disabling functions from web technologies such as PHP’s eval() that may be abused for web shells.4 |
M1018 | User Account Management | Enforce the principle of least privilege by limiting privileges of user accounts so only authorized accounts can modify the web directory.5 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0015 | Application Log | Application Log Content |
DS0022 | File | File Creation |
DS0029 | Network Traffic | Network Traffic Content |
DS0009 | Process | Process Creation |
References
-
Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015. ↩↩
-
NSA Cybersecurity Directorate. (n.d.). Mitigating Web Shells. Retrieved July 22, 2021. ↩
-
US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016. ↩
-
Kondratiev, A. (n.d.). Disabling dangerous PHP functions. Retrieved July 26, 2021. ↩
-
NSA and ASD. (2020, April 3). Detect and Prevent Web Shell Malware. Retrieved July 23, 2021. ↩
-
Tennis, M. (2020, December 17). SUPERNOVA: A Novel .NET Webshell. Retrieved February 22, 2021. ↩
-
Riley, W. (2020, December 1). SUPERNOVA SolarWinds .NET Webshell Analysis. Retrieved February 18, 2021. ↩
-
CISA. (2021, January 27). Malware Analysis Report (AR21-027A). Retrieved February 22, 2021. ↩
-
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. ↩↩
-
Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. ↩↩
-
ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. ↩↩
-
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. ↩
-
Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. ↩
-
MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021. ↩
-
Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021. ↩
-
Bromiley, M. et al. (2021, March 4). Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities. Retrieved March 9, 2021. ↩
-
Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. ↩
-
Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019. ↩
-
CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department.. Retrieved August 12, 2021. ↩
-
Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. ↩
-
DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021. ↩
-
Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021. ↩
-
ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021. ↩
-
Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. ↩
-
Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. ↩
-
CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. ↩
-
Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021. ↩
-
NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. ↩
-
Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. ↩
-
NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. ↩
-
US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. ↩
-
Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. ↩
-
MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. ↩
-
Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. ↩
-
RYANJ. (2014, February 20). Mo’ Shells Mo’ Problems – Deep Panda Web Shells. Retrieved September 16, 2015. ↩
-
Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 ↩
-
CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. ↩
-
ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020. ↩