T1505.003 Web Shell
Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.2
In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. China Chopper Web shell client).3
Item | Value |
---|---|
ID | T1505.003 |
Sub-techniques | T1505.001, T1505.002, T1505.003, T1505.004, T1505.005 |
Tactics | TA0003 |
Platforms | Linux, Network, Windows, macOS |
Version | 1.3 |
Created | 13 December 2019 |
Last Modified | 30 March 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
G0007 | APT28 | APT28 has used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target’s Outlook Web Access (OWA) server.34 |
G0016 | APT29 | APT29 has installed web shells on exploited Microsoft Exchange servers.41 |
G0050 | APT32 | APT32 has used Web shells to maintain access to victim websites.26 |
G0082 | APT38 | APT38 has used web shells for persistence or to ensure redundant access.15 |
G0087 | APT39 | APT39 has installed ANTAK and ASPXSPY web shells.36 |
S0073 | ASPXSpy | ASPXSpy is a Web shell. The ASPXTool version used by Threat Group-3390 has been deployed to accessible servers running Internet Information Services (IIS).7 |
G0135 | BackdoorDiplomacy | BackdoorDiplomacy has used web shells to establish an initial foothold and for lateral movement within a victim’s system.31 |
C0017 | C0017 | During C0017, APT41 deployed JScript web shells through the creation of malicious ViewState objects.44 |
S0020 | China Chopper | China Chopper‘s server component is a Web Shell payload.3 |
G0009 | Deep Panda | Deep Panda uses Web shells on publicly accessible Web servers to access victim networks.32 |
G0035 | Dragonfly | Dragonfly has commonly created Web shells on victims’ publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files.33 |
G0117 | Fox Kitten | Fox Kitten has installed web shells on compromised hosts to maintain access.2728 |
G0093 | GALLIUM | GALLIUM used Web shells to persist in victim environments and assist in execution and exfiltration.2930 |
G0125 | HAFNIUM | HAFNIUM has deployed multiple web shells on compromised servers including SIMPLESEESHARP, SPORTSBALL, China Chopper, and ASPXSpy.2220182119 |
G0094 | Kimsuky | Kimsuky has used modified versions of open source PHP web shells to maintain access, often adding “Dinosaur” references within the code.43 |
G0065 | Leviathan | Leviathan relies on web shells for an initial foothold as well as persistence into the victim’s systems.3940 |
G0059 | Magic Hound | Magic Hound has used multiple web shells to gain execution.2423 |
G1009 | Moses Staff | Moses Staff has dropped a web shell onto a compromised system.35 |
G0049 | OilRig | OilRig has used web shells, often to maintain access to a victim network.38837 |
C0012 | Operation CuckooBees | During Operation CuckooBees, the threat actors generated a web shell within a vulnerable Enterprise Resource Planning Web Application Server as a persistence mechanism.46 |
C0014 | Operation Wocao | During Operation Wocao, threat actors used their own web shells, as well as those previously placed on target systems by other threat actors, for reconnaissance and lateral movement.45 |
S0072 | OwaAuth | OwaAuth is a Web shell that appears to be exclusively used by Threat Group-3390. It is installed as an ISAPI filter on Exchange servers and shares characteristics with the China Chopper Web shell.7 |
S0598 | P.A.S. Webshell | P.A.S. Webshell can gain remote access and execution on target web servers.9 |
G0034 | Sandworm Team | Sandworm Team has used webshells including P.A.S. Webshell to maintain access to victim networks.9 |
S0185 | SEASHARPEE | SEASHARPEE is a Web shell.8 |
S0578 | SUPERNOVA | SUPERNOVA is a Web shell.101112 |
G0088 | TEMP.Veles | TEMP.Veles has planted Web shells on Outlook Exchange servers.13 |
G0027 | Threat Group-3390 | Threat Group-3390 has used a variety of Web shells.25 |
G0131 | Tonto Team | Tonto Team has used a first stage web shell after compromising a vulnerable Exchange server.42 |
G0081 | Tropic Trooper | Tropic Trooper has started a web service in the target host and wait for the adversary to connect, acting as a web shell.14 |
G0123 | Volatile Cedar | Volatile Cedar can inject web shell code into a server.1617 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1042 | Disable or Remove Feature or Program | Consider disabling functions from web technologies such as PHP’s eval() that may be abused for web shells.6 |
M1018 | User Account Management | Enforce the principle of least privilege by limiting privileges of user accounts so only authorized accounts can modify the web directory.5 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0015 | Application Log | Application Log Content |
DS0022 | File | File Creation |
DS0029 | Network Traffic | Network Traffic Content |
DS0009 | Process | Process Creation |
References
-
NSA Cybersecurity Directorate. (n.d.). Mitigating Web Shells. Retrieved July 22, 2021. ↩
-
Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022. ↩
-
Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015. ↩↩
-
US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016. ↩
-
NSA and ASD. (2020, April 3). Detect and Prevent Web Shell Malware. Retrieved July 23, 2021. ↩
-
Kondratiev, A. (n.d.). Disabling dangerous PHP functions. Retrieved July 26, 2021. ↩
-
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. ↩↩
-
Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. ↩↩
-
ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. ↩↩
-
Tennis, M. (2020, December 17). SUPERNOVA: A Novel .NET Webshell. Retrieved February 22, 2021. ↩
-
Riley, W. (2020, December 1). SUPERNOVA SolarWinds .NET Webshell Analysis. Retrieved February 18, 2021. ↩
-
CISA. (2021, January 27). Malware Analysis Report (AR21-027A). Retrieved February 22, 2021. ↩
-
Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. ↩
-
Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. ↩
-
DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021. ↩
-
Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021. ↩
-
ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021. ↩
-
Bromiley, M. et al. (2021, March 4). Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities. Retrieved March 9, 2021. ↩
-
Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022. ↩
-
Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021. ↩
-
Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022. ↩
-
MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021. ↩
-
DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. ↩
-
DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. ↩
-
Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. ↩
-
Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. ↩
-
CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. ↩
-
ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020. ↩
-
Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. ↩
-
MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. ↩
-
Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 ↩
-
RYANJ. (2014, February 20). Mo’ Shells Mo’ Problems – Deep Panda Web Shells. Retrieved September 16, 2015. ↩
-
US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. ↩
-
NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. ↩
-
Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. ↩
-
Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. ↩
-
Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. ↩
-
Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023. ↩
-
Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019. ↩
-
CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. ↩
-
NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. ↩
-
Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021. ↩
-
CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. ↩
-
Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. ↩
-
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. ↩
-
Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. ↩