T1505.003SubTechniquepersistenceagent-callable

T1505.003Web Shell

Sub-technique of T1505

Platforms: Linux · Windows · macOS · Network

ATT&CK version: 14.1

What it is

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW) In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013)

ATT&CK tactics· 1

Persistence

References

  1. https://attack.mitre.org/techniques/T1505/003
  2. https://github.com/nsacyber/Mitigating-Web-Shells
  3. https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/
  4. https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
  5. https://www.us-cert.gov/ncas/alerts/TA15-314A
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.