Esc
Web Shell - T1505.003
(ATT&CK® Technique)
Definition
Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1505003["Web Shell"] --> |produces| Process["Process"]; class T1505003 OffensiveTechniqueNode;
class Process ArtifactNode; click Process href "/dao/artifact/d3f:Process";
click T1505003 href "/offensive-technique/attack/T1505.003/"; click Process href "/dao/artifact/d3f:Process"; T1505003["Web Shell"] --> |adds| WebScriptFile["Web Script File"]; class T1505003 OffensiveTechniqueNode;
class WebScriptFile ArtifactNode; click WebScriptFile href "/dao/artifact/d3f:WebScriptFile";
click T1505003 href "/offensive-technique/attack/T1505.003/"; click WebScriptFile href "/dao/artifact/d3f:WebScriptFile"; T1505003["Web Shell"] --> |modifies| WebServer["Web Server"]; class T1505003 OffensiveTechniqueNode;
class WebServer ArtifactNode; click WebServer href "/dao/artifact/d3f:WebServer";
click T1505003 href "/offensive-technique/attack/T1505.003/"; click WebServer href "/dao/artifact/d3f:WebServer"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | WebScriptFile["Web Script File"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1505003["Web Shell"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | WebScriptFile["Web Script File"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1505003["Web Shell"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | Process["Process"];
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
| may-detect | T1505003["Web Shell"] ;
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | Process["Process"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1505003["Web Shell"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; HostShutdown["Host Shutdown"] -->
| terminates | Process["Process"];
HostShutdown["Host Shutdown"] -.->
| may-evict | T1505003["Web Shell"] ;
class HostShutdown DefensiveTechniqueNode;
class Process ArtifactNode;
click HostShutdown href "/technique/d3f:HostShutdown"; ProcessTermination["Process Termination"] -->
| terminates | Process["Process"];
ProcessTermination["Process Termination"] -.->
| may-evict | T1505003["Web Shell"] ;
class ProcessTermination DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessSuspension["Process Suspension"] -->
| suspends | Process["Process"];
ProcessSuspension["Process Suspension"] -.->
| may-evict | T1505003["Web Shell"] ;
class ProcessSuspension DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | WebScriptFile["Web Script File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1505003["Web Shell"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; DecoyFile["Decoy File"] -->
| spoofs | WebScriptFile["Web Script File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1505003["Web Shell"] ;
class DecoyFile DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileEviction["File Eviction"] -->
| deletes | WebScriptFile["Web Script File"];
FileEviction["File Eviction"] -.->
| may-evict | T1505003["Web Shell"] ;
class FileEviction DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | WebScriptFile["Web Script File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1505003["Web Shell"] ;
class FileEncryption DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | Process["Process"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1505003["Web Shell"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class Process ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
| isolates | Process["Process"];
Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.->
| may-isolate | T1505003["Web Shell"] ;
class Kernel-basedProcessIsolation DefensiveTechniqueNode;
class Process ArtifactNode;
click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | WebScriptFile["Web Script File"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1505003["Web Shell"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | Process["Process"];
Application-basedProcessIsolation["Application-based Process Isolation"] -.->
| may-isolate | T1505003["Web Shell"] ;
class Application-basedProcessIsolation DefensiveTechniqueNode;
class Process ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | WebScriptFile["Web Script File"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1505003["Web Shell"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; RestoreFile["Restore File"] -->
| restores | WebScriptFile["Web Script File"];
RestoreFile["Restore File"] -.->
| may-restore | T1505003["Web Shell"] ;
class RestoreFile DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreNetworkAccess["Restore Network Access"] -->
| restores | WebServer["Web Server"];
RestoreNetworkAccess["Restore Network Access"] -.->
| may-restore | T1505003["Web Shell"] ;
class RestoreNetworkAccess DefensiveTechniqueNode;
class WebServer ArtifactNode;
click RestoreNetworkAccess href "/technique/d3f:RestoreNetworkAccess"; LocalFilePermissions["Local File Permissions"] -->
| restricts | WebScriptFile["Web Script File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1505003["Web Shell"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; SystemCallFiltering["System Call Filtering"] -->
| isolates | Process["Process"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1505003["Web Shell"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class Process ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; FileAnalysis["File Analysis"] -->
| analyzes | WebScriptFile["Web Script File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1505003["Web Shell"] ;
class FileAnalysis DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; EndpointHealthBeacon["Endpoint Health Beacon"] -->
| monitors | WebServer["Web Server"];
EndpointHealthBeacon["Endpoint Health Beacon"] -.->
| may-detect | T1505003["Web Shell"] ;
class EndpointHealthBeacon DefensiveTechniqueNode;
class WebServer ArtifactNode;
click EndpointHealthBeacon href "/technique/d3f:EndpointHealthBeacon"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | Process["Process"];
ProcessLineageAnalysis["Process Lineage Analysis"] -.->
| may-detect | T1505003["Web Shell"] ;
class ProcessLineageAnalysis DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | WebScriptFile["Web Script File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1505003["Web Shell"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; HostReboot["Host Reboot"] -->
| terminates | Process["Process"];
HostReboot["Host Reboot"] -.->
| may-evict | T1505003["Web Shell"] ;
class HostReboot DefensiveTechniqueNode;
class Process ArtifactNode;
click HostReboot href "/technique/d3f:HostReboot";