Trend# 6: Common Web Shells
Web shells are malicious scripts designed to maintain access to compromised web servers and facilitate remote code execution, according to Red Canary. Some allow adversaries to issue a single command in a text box on a web page, while others include extensive capabilities where the adversary’s imagination is the limit.
Web shells execute with the same user account privileges as the exploited web application. If the application runs as an administrator, sensitive databases and systems may be accessible.
Adversaries often leave web shells on public facing web servers with no authentication mechanisms so they can return to the systems later.
Responders may find many web shells on a single server or evidence of multiple adversaries using an abandoned web shell. Web shells should be removed as soon as possible to prevent further access.
Return To Article
