This micro emulation plan targets malicious activity surrounding T1505.003 Web Shell. Web shells are malware placed on compromised web (or other network-accessible) servers, often used as a persistent backdoor into a network. Once planted, adversaries may execute arbitrary commands/functions on the victim server through a HTTP(S) communication channel with the web shell. Various threat actors have abused web shells targeting both Windows and Linux infrastructure.
Table Of Contents:
- Description of Emulated Behaviors
- Cyber Threat Intel / Background
- Execution Instructions / Resources
- Defensive Lessons Learned
What are we doing? This module provides an easy-to-execute tool for installing, connecting to, and running commands through various web shells. The emulation plans supports several variants of web shells that each:
- Plant a malicious file in a web directory
- Connect to the web shell over a user-defined network socket
- Execute a series of user-defined (default is local discovery) shell commands using the web server
Why you should care? Web shells are a constant threat to organizations, as this type of malware has been frequently deployed across many different types of intrusions. After identifying exploitatble vulnerabilities or configurations (i.e. T1190 Exploit Public-Facing Application via procedures such as cross-site scripting, SQL injection, and remote/local file inclusion vulnerabilities), threat actors often deploy web shells onto compromised Internet-facing or internal infrastructure to enable remote execution of commands. Adversaries can then use these web shells as a persistent backdoor into the network, as well as a pivot to upload additional malware as well as locate and harvest data from other internal hosts.
Web shells are typically small scripts and have been utilized by a wide range of threats, notably:
- S0020 China Chopper utilized by Chinese and Iranian actors
- S0073 ASPXSpy utilized by Chinese and Iranian actors
- Various implementations by Russian state actors, include G0007 APT28, G0016 APT29, G0035 Dragonfly, G0034 Sandworm Team, and G0088 TEMP.Veles.
This repository includes two web shells with separate instructions. These instructions assume that you received the executables in a zip archive.
- A Windows web shell: README_windows_webshell.md
- A PHP web shell for a Linux web server: README_linux_php_webshell.md
Monitor and audit changes to files within exposed web directories (including file modification timestamps), especially those that do no align with expected changes from administrator activity. Baselining these directories and files may help change tracking and management. Monitor processes spawning from web directories and web server users/accounts, especially processes potentially associated with malicious adversary commands and/or rarely launched by web services.
Image source: NSA Cybersecurity Information: Detect and Prevent Web Shell Malware
Also consider monitoring third-party application logs for signs of abuse, such as uncommon/unexpected events such as user logins/activity. Application logs as well as network traffic and web access monitoring may reveal anomalous patterns of activity highlighting adversaries abusing a web shell on a server.
Image source: NSA Cybersecurity Information: Detect and Prevent Web Shell Malware
Considering removing/disabling file directories and other resources that are network-exposed and could be abused to host a web shell. Implement least-privilege polices to web server users/services as well as network segmentation of Internet-facing infrastructure to limit scope of abuse.
Once deployed, ensure only required changes to web directory content are allowed
(e.g. by file as well as limited by user account). Also consider disabling
dangerous web functions (such as PHP's eval()
and system()
) that are
commonly abused by web
shells.