← All Chokepoints CRITICAL

Web Shell Persistence

Persistence Initial Access Execution T1505.003 T1190 T1059.004 Detection difficulty: MEDIUM Prevalence: HIGH

Adversaries plant web-accessible scripts (web shells) on compromised servers to maintain persistent command execution via HTTP/HTTPS. Web shells are deployed in virtually every major web-facing compromise — appearing in 35% of Q4 2024 IR incidents (Cisco Talos) and serving as the primary persistence mechanism in ProxyLogon, ProxyShell, MOVEit, Barracuda ESG, and Ivanti zero-day campaigns. Despite diversity in language (PHP/ASP.NET/JSP/Python), encoding (base64, XOR, gzinflate, multi-layer), and evasion technique (polyglot files, fileless IIS modules, steganography), the chokepoint is invariant: the web server process must execute attacker-controlled OS commands by spawning a child interpreter, and that parent-child relationship is always kernel-observable regardless of obfuscation. The ShellForge paper (arXiv 2601.22182) demonstrated that adversarially generated webshells achieve 93.9% evasion against VirusTotal commercial engines, validating that behavioral detection of process creation is essential over file-content scanning.

By @iimp0ster · Updated 2026-03-07 · View source YAML

Prerequisites (Environmental)

• ✓ Write access to a web-accessible directory on the target server (via file upload, path traversal, CVE exploitation, or CMS compromise)
• ✓ OR ability to modify web server configuration (for IIS native module approach)
• ✓ Web server must execute the shell's scripting language (PHP, ASP.NET, JSP, etc.)
• ✓ HTTP/HTTPS access to the deployed shell from attacker infrastructure
• ✓ Server must have OS command execution capability (not hardened to deny shell spawning)

Variations

Tools and methods that exploit this chokepoint — the list grows; the chokepoint doesn't change:

China Chopper Active

2013

Minimal two-component design: a one-line server-side stub (often <4KB) and a separate attacker-controlled client. Supports PHP, ASP, ASP.NET, and JSP. Extremely small footprint makes file-size-based detection ineffective. Used across the full threat actor spectrum from APT groups to commodity attackers; still actively deployed in 2024-2025 campaigns.

Godzilla Active

2020-Q4

Created by BeichenDream; requires both a password AND encryption key for C2 communication, providing dual-layer authentication that prevents accidental discovery by other threat actors. Supports ASP.NET, JSP, and PHP. Actively tracked by HC3 in November 2024 healthcare sector campaigns; more sophisticated authentication model than China Chopper.

Behinder (Ice Scorpion) Active

2020-Q1

Publicly available and actively maintained (GitHub user rebeyond); uses encryption-based C2 communication and randomizes User-Agent strings to evade network and log analysis. Can load and execute compiled payloads in addition to script commands. Supports ASP.NET, JSP, PHP. Particularly effective against network-based detection due to encrypted traffic.

AntSword Active

2019

Modular client-server webshell framework; remarkably similar architecture to China Chopper but with improved extensibility. Open source on GitHub. Actively observed in targeted campaigns through 2024-2025.

Neo-reGeorg / reGeorg Active

2017

HTTP tunnel/proxy webshell that forwards attacker traffic through the compromised server; commonly used for lateral movement once initial shell access is achieved. Neo-reGeorg is the actively maintained successor. Allows attackers to proxy traffic to internal network segments not directly reachable from the internet.

LEMURLOOT (MOVEit) Active

2023-Q2

C# ASP.NET webshell deployed by CL0P (TA505) via MOVEit Transfer CVE-2023-34362 SQL injection zero-day (May 2023). Named human2.aspx to masquerade as a legitimate MOVEit file. Exfiltrated data from MOVEit databases and executed arbitrary commands. Approximately 130 organizations victimized within 10 days; represents the targeted appliance-specific webshell model deployed by ransomware operators.

Source →

GLASSTOKEN / BUSHWALK (Ivanti) Active

2024-Q1

Webshells deployed against Ivanti Connect Secure appliances via CVE-2023-46805 (auth bypass) and CVE-2024-21887 (command injection). GLASSTOKEN was the initial variant; BUSHWALK, LIGHTWIRE, and CHAINLINE were deployed post-mitigation bypass. Over 1,700 appliances compromised. Demonstrates the shift from web application webshells to network appliance webshells — same parent-child execution pattern, different host OS environment.

Source →

SALTWATER / SEASPY (Barracuda ESG) Active

2023-Q2

Webshell-style implants deployed by UNC4841 (China-nexus) against Barracuda Email Security Gateway appliances via CVE-2023-2868 (remote command injection via TAR file). Exploited as zero-day from October 2022; disclosed May 2023. CISA mandated full appliance replacement — patches were insufficient. Demonstrates webshells surviving factory reset via firmware-level persistence on physical appliances.

Source →

Fileless IIS Native Modules Active

2022-Q1

Malicious IIS native modules (.DLL) that act as request handlers, intercepting all HTTP traffic to the server. Documented by Microsoft in December 2022; avoids writing script files to web-accessible directories entirely. Detected via IIS module configuration review rather than file scanning. Same parent-child process relationship (w3wp.exe spawning cmd.exe) applies when commands are executed.

Source →

Polyglot / Steganographic Shells Active

2020-Q1

Webshell code embedded in valid image files (GIF89a header + PHP code) or hidden via steganography. Bypass file-type validation and content inspection. When the web server processes the file as a script, the embedded code executes. Primarily used to evade upload restrictions; once uploaded, execution behavior is identical to traditional webshells.

Server-Side Template Injection (SSTI) Webshells Active

2019

Injects malicious code into server-side template expressions (Jinja2, Freemarker, Velocity, Thymeleaf, JSP EL) to achieve RCE without uploading a dedicated shell file. The template engine becomes the execution vehicle. SAP NetWeaver JSP webshells (April 2025) demonstrated SSTI-based initial access at scale; no traditional shell file exists on disk to scan.

Detection Strategy

Build detections iteratively. Start broad to understand your baseline, then tighten to production-ready.

Goal: Identify all child processes spawned by web server processes in the environment

Log Sources

• Sysmon Event ID 1 (Process Creation)
• Windows Security Event ID 4688 (Process Creation with CommandLine auditing enabled)
• Linux auditd execve syscall events

FP Rate: High

Use Case: Baseline legitimate web server child process behavior; identify environments with routine shell spawning (misconfigured) vs. those with no child process spawning (well-hardened)

Detection Logic

Process Created (EID 1 or 4688):
  ParentImage: w3wp.exe OR httpd OR apache2 OR nginx OR java OR tomcat OR php-fpm
  ChildImage: ANY
Purpose: Build full baseline of all child processes spawned by web server processes; identify legitimate administration and deployment processes vs. anomalous execution

Sigma Rule — Research Level

View on GitHub Download

title: Web Shell — All Child Processes Spawned by Web Server Processes (Research Baseline)
id: d4a6c8e0-3b5f-7a9c-1d2f-5h7i9j1k3m5n
status: experimental
description: >
  Maximum-visibility rule capturing every process creation event where the parent
  is a known web server worker process (IIS w3wp.exe, Apache httpd.exe, nginx,
  PHP-CGI, Tomcat, JBoss). Designed as a baselining rule to build a complete
  inventory of legitimate web server child processes before tuning toward
  behavioral hunt and analyst rules. Web shells are present in 35% of Q4 2024 IR
  incidents (Cisco Talos), and the ShellForge paper (arXiv 2601.22182) demonstrated
  that adversarially generated shells achieve 93.9% evasion against VirusTotal
  commercial engines — making behavioral process-creation detection essential over
  file-content scanning. The invariant that enables durable detection is:
  HTTP request → web server process → child OS interpreter. This rule captures
  every instance of that parent-child relationship, making it the foundation for
  identifying both the legitimate baseline and anomalous attacker-controlled execution.
  High false positive rate expected; purpose is environmental baselining only.
references:
  - https://attack.mitre.org/techniques/T1505/003/
  - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
  - https://arxiv.org/abs/2601.22182
  - https://www.microsoft.com/en-us/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/
  - https://blog.talosintelligence.com/talos-ir-trends-q4-2024/
author: "@iimp0ster"
date: 2026/03/08
tags:
  - attack.persistence
  - attack.t1505.003
  - attack.initial_access
  - attack.t1190
  - attack.execution
  - detection.maturity.research
logsource:
  category: process_creation
  product: windows
detection:
  selection_web_server_parent:
    ParentImage|endswith:
      - '\w3wp.exe'
      - '\httpd.exe'
      - '\apache.exe'
      - '\apache2.exe'
      - '\nginx.exe'
      - '\php-cgi.exe'
      - '\php.exe'
      - '\php-fpm.exe'
      - '\tomcat.exe'
      - '\tomcat9.exe'
      - '\tomcat10.exe'
      - '\java.exe'
      - '\javaw.exe'
  condition: selection_web_server_parent
falsepositives:
  - Legitimate CMS-triggered processes (WordPress image resize, Drupal cron via PHP)
  - Deployment pipeline scripts invoked via web-triggered hooks (CI/CD webhook handlers)
  - Scheduled tasks executed in the context of IIS application pools
  - wkhtmltopdf, ImageMagick, ghostscript spawned by PDF/image-generation web applications
  - Node.js, Python, Ruby child processes spawned by legitimate polyglot web applications
  - IIS application initialization scripts (warmup processes)
level: informational

Goal: Web server process spawning OS shell interpreters or reconnaissance utilities

Log Sources

• Sysmon Event ID 1 (Process Creation)
• Sysmon Event ID 11 (File Created)
• Windows Security Event ID 4688 (Process Creation)
• Linux auditd execve + open syscalls

FP Rate: Medium

Use Case: Proactive hunt for active webshell execution and new shell file drops; distinguishes attacker activity from legitimate server-side scripting

Detection Logic

Process Created (EID 1):
  ParentImage: w3wp.exe OR httpd OR apache2 OR nginx OR java OR php-fpm OR tomcat
  ChildImage:
    cmd.exe OR powershell.exe OR pwsh.exe OR wscript.exe OR cscript.exe OR
    /bin/sh OR /bin/bash OR /bin/dash OR python* OR perl OR ruby OR
    whoami.exe OR net.exe OR ipconfig.exe OR ifconfig OR id OR wget OR curl
OR:
  File Created (EID 11):
    Path: contains \inetpub\wwwroot\ OR /var/www/ OR /srv/www/ OR /usr/share/nginx/
    Extension: .php OR .asp OR .aspx OR .jsp OR .jspx OR .cfm OR .shtml
    CreatingProcess: NOT in approved deployment toolchain

Sigma Rule — Hunt Level

View on GitHub Download

title: Web Shell — Web Server Spawning Shell Interpreter or Script File Dropped in Web Root
id: e5b7d9f1-4c6e-8a0b-2d3f-6i8j0k2l4n6o
status: experimental
description: >
  Detects two behavioral patterns associated with active web shell execution.
  Pattern A captures web server processes (IIS, Apache, nginx, PHP, Tomcat, Java)
  spawning OS shell interpreters (cmd.exe, powershell.exe, pwsh.exe) or common
  reconnaissance and download utilities — the execution step after a web shell
  receives an attacker HTTP command. Pattern B captures script file creation events
  (Sysmon EID 11) in web-accessible directories for server-side script extensions
  (.php, .asp, .aspx, .jsp) by processes outside an approved deployment toolchain —
  the initial shell file drop step. Together these cover both active shell execution
  (China Chopper, Godzilla, Behinder, AntSword) and new shell deployment. Fileless
  IIS native module webshells (Microsoft, 2022) still generate w3wp.exe child process
  events when commands execute, making Pattern A effective even against DLL-based shells.
  Medium false positive rate — requires baselining (see research rule) to identify
  what your web servers legitimately spawn before tuning.
references:
  - https://attack.mitre.org/techniques/T1505/003/
  - https://attack.mitre.org/techniques/T1190/
  - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
  - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
  - https://arxiv.org/abs/2601.22182
  - https://cloud.google.com/blog/topics/threat-intelligence/pst-want-shell-proxyshell-exploiting-microsoft-exchange-servers
author: "@iimp0ster"
date: 2026/03/08
tags:
  - attack.persistence
  - attack.t1505.003
  - attack.initial_access
  - attack.t1190
  - attack.execution
  - attack.t1059.003
  - attack.t1059.001
  - detection.maturity.hunt
logsource:
  category: process_creation
  product: windows
detection:
  # Pattern A: Web server process spawning known shell interpreters or recon utilities
  selection_spawn_web_parent:
    ParentImage|endswith:
      - '\w3wp.exe'
      - '\httpd.exe'
      - '\apache.exe'
      - '\apache2.exe'
      - '\nginx.exe'
      - '\php-cgi.exe'
      - '\php.exe'
      - '\php-fpm.exe'
      - '\tomcat.exe'
      - '\tomcat9.exe'
      - '\tomcat10.exe'
      - '\java.exe'
      - '\javaw.exe'
  selection_spawn_child_shells:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\wscript.exe'
      - '\cscript.exe'
      - '\mshta.exe'
      - '\certutil.exe'
      - '\bitsadmin.exe'
      - '\regsvr32.exe'
      - '\rundll32.exe'
      - '\msiexec.exe'
      - '\wmic.exe'
      - '\whoami.exe'
      - '\net.exe'
      - '\net1.exe'
      - '\ipconfig.exe'
      - '\systeminfo.exe'
      - '\netstat.exe'
      - '\curl.exe'
      - '\wget.exe'
  condition: (selection_spawn_web_parent and selection_spawn_child_shells)
falsepositives:
  - Legitimate CMS-triggered shell scripts via webhooks (Drupal, WordPress deployment)
  - Development environments where web server invokes build scripts
  - wkhtmltopdf or ImageMagick shell wrappers called by web applications
  - Java application servers invoking legitimate scripts via Runtime.exec()
  - Authorized administrative scripts triggered via web-based management interfaces
level: medium

Goal: Web server spawns shell interpreter with suspicious command AND web-accessible file recently created — direct webshell execution signal

Log Sources

• Sysmon Event ID 1 (Process Creation)
• Sysmon Event ID 3 (Network Connection)
• Sysmon Event ID 11 (File Created)
• Windows Security Event ID 4688 (Process Creation)
• IIS/Apache/nginx access logs

FP Rate: Low

Use Case: SOC alerting; immediate IR escalation; highest confidence by correlating shell file creation with subsequent command execution

Detection Logic

File Created (EID 11) in web-accessible path:
  Extension: .php OR .asp OR .aspx OR .jsp OR .jspx
  CreatingProcess: NOT approved CMS or deployment tool
  Time: within last 24 hours
THEN within 60 minutes:
  Process Created (EID 1):
    ParentImage: w3wp.exe OR httpd OR apache2 OR java
    ChildImage: cmd.exe OR powershell.exe OR /bin/sh OR /bin/bash
    CommandLine: contains (whoami OR net user OR net group OR ipconfig OR
                           ifconfig OR id OR wget OR curl OR certutil)
OR (standalone — high confidence without file correlation):
  ParentImage: w3wp.exe AND ChildImage: powershell.exe AND
  CommandLine: contains (-enc OR -EncodedCommand OR IEX OR Invoke-Expression OR
                        DownloadString OR WebClient OR FromBase64String)

Sigma Rule — Analyst Level

View on GitHub Download

title: Web Shell — High-Confidence Execution via Web Server Spawning Shell with Suspicious Command
id: f6c8e0a2-5d7f-9b1c-3e4g-7j9k1l3m5o7p
status: experimental
description: >
  High-fidelity detection for active web shell command execution. Detects a web
  server worker process (w3wp.exe, httpd.exe, apache2.exe, nginx.exe, java.exe,
  php-cgi.exe) spawning a shell interpreter (cmd.exe, powershell.exe) where the
  spawned process command line contains explicit attacker reconnaissance, exfiltration,
  or download indicators. This two-condition structure (web server parent AND
  suspicious child command line) provides strong specificity over the hunt rule's
  broader shell-spawn coverage. A second high-confidence selection covers PowerShell
  encoded command execution from a web server parent — a near-universal indicator
  of China Chopper, Godzilla, Behinder, and AntSword webshell variants, all of
  which use PowerShell encoded commands or IEX/WebClient patterns for payload delivery.
  The chokepoint invariant (HTTP request → web server process → child OS interpreter)
  holds regardless of shell language, encoding, or C2 encryption used; this rule
  detects the observable execution artifact at the endpoint layer. Low false positive
  rate; treat as immediate SOC escalation.
references:
  - https://attack.mitre.org/techniques/T1505/003/
  - https://attack.mitre.org/techniques/T1190/
  - https://attack.mitre.org/techniques/T1059/001/
  - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
  - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
  - https://arxiv.org/abs/2601.22182
  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a
  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
author: "@iimp0ster"
date: 2026/03/08
tags:
  - attack.persistence
  - attack.t1505.003
  - attack.initial_access
  - attack.t1190
  - attack.execution
  - attack.t1059.001
  - attack.t1059.003
  - detection.maturity.analyst
logsource:
  category: process_creation
  product: windows
detection:
  # Shared filter: parent must be a web server process
  selection_web_server_parent:
    ParentImage|endswith:
      - '\w3wp.exe'
      - '\httpd.exe'
      - '\apache.exe'
      - '\apache2.exe'
      - '\nginx.exe'
      - '\php-cgi.exe'
      - '\php.exe'
      - '\php-fpm.exe'
      - '\tomcat.exe'
      - '\tomcat9.exe'
      - '\tomcat10.exe'
      - '\java.exe'
      - '\javaw.exe'

  # Selection A: cmd.exe spawned by web server with recon/exfil/download command
  selection_cmd_recon:
    Image|endswith: '\cmd.exe'
    CommandLine|contains|any:
      - 'whoami'
      - 'net user'
      - 'net group'
      - 'net localgroup'
      - 'ipconfig'
      - 'systeminfo'
      - 'netstat'
      - 'tasklist'
      - 'quser'
      - 'qwinsta'
      - 'dir '
      - 'type '
      - 'copy '
      - 'move '
      - 'certutil'
      - 'bitsadmin'
      - 'mshta'
      - 'curl'
      - 'wget'
      - 'nltest'
      - 'arp '
      - 'ping '
      - 'nslookup'
      - 'reg query'
      - 'reg add'
      - 'schtasks'
      - 'at '
      - 'net use'
      - 'wmic'

  # Selection B: PowerShell with encoded command or downloader/execution pattern
  selection_powershell_encoded:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
    CommandLine|contains|any:
      - '-enc'
      - '-EncodedCommand'
      - '-e '
      - 'IEX'
      - 'Invoke-Expression'
      - 'DownloadString'
      - 'DownloadFile'
      - 'WebClient'
      - 'Net.WebClient'
      - 'FromBase64String'
      - 'ToBase64String'
      - 'BitsTransfer'
      - 'Start-BitsTransfer'
      - 'Invoke-WebRequest'
      - '-nop'
      - '-noprofile'
      - 'bypass'
      - 'hidden'
      - 'Add-MpPreference'
      - 'Set-MpPreference'
      - 'whoami'
      - 'net user'
      - 'net group'

  condition: selection_web_server_parent and (selection_cmd_recon or selection_powershell_encoded)
falsepositives:
  - Legitimate web applications that invoke system utilities as part of documented functionality (file conversion, health checks)
  - Authorized administrative web interfaces that invoke PowerShell for server management
  - Development environments where web applications execute scripts for testing
level: high

Early Detection Layers

Detect before the user pastes or executes — earlier in the kill chain than the Sysmon-based rules above, using different data sources.

Evolution Timeline (8 events — click to expand)

Techniques and tooling evolve; the underlying detection chokepoint does not.

2025-Q1

Weaver Ant APT reveals multi-year covert access via chained webshells

Change: Chinese-nexus APT maintained persistent access to Asian telecom provider for years using chained webshells as encrypted tunnels; demonstrates webshells as long-term strategic persistence, not merely an initial foothold tool

Detection impact: Periodic file integrity checks insufficient; continuous monitoring of web server process behavior and outbound network connections required; dormant shells evade activity-based detection during inactive periods

2024-Q4

Web shells present in 35% of all IR incidents (Cisco Talos)

Change: Web shell deployment reaches highest observed prevalence; shift toward exploiting unpatched public-facing applications as primary initial access vector, replacing phishing in many campaigns

Detection impact: Organizations without web server process creation monitoring have minimal detection capability; parent-child process detection must be a baseline capability, not an advanced one

2024-Q1

Ivanti Connect Secure mass exploitation deploys GLASSTOKEN across 1,700+ appliances

Change: CVE-2023-46805 auth bypass + CVE-2024-21887 command injection; webshells survive initial mitigation requiring new variant deployment (BUSHWALK, LIGHTWIRE); webshell operators actively adapt to defensive response in near-real-time

Detection impact: Integrity checking bypass documented; behavioral detection of process execution from appliance services becomes critical; out-of-band integrity verification required

2023-Q2

MOVEit LEMURLOOT and Barracuda SALTWATER/SEASPY deployed on network appliances

Change: CL0P exploits MOVEit zero-day; UNC4841 exploits Barracuda zero-day. Webshells deployed on managed file transfer platforms and email security appliances rather than traditional web servers. CISA mandates Barracuda appliance replacement.

Detection impact: Traditional web server process monitoring insufficient for appliance-specific environments where telemetry is limited; generic parent-child detection applies where host telemetry is available

2022-Q4

Microsoft documents fileless IIS native module webshells

Change: Malicious IIS DLLs intercept all web traffic with no script file in the web root and no keyword-scannable content; evades all file-based and directory-monitoring detection approaches

Detection impact: File integrity monitoring of web directories insufficient alone; IIS module configuration auditing required; w3wp.exe child process spawning remains the effective detection signal

2021-Q1

ProxyLogon/ProxyShell plants webshells on hundreds of thousands of Exchange servers

Change: Mass exploitation of CVE-2021-26855 and CVE-2021-34473 drops webshells on every unpatched Exchange server globally within days; multiple threat actors use the same shells simultaneously

Detection impact: File hash detection partially effective but attacker variants proliferate immediately; behavioral detection of w3wp.exe spawning cmd.exe becomes an urgent priority signal

2020

NSA/CISA joint advisory published; Microsoft reports 900% increase in web shell detections

Change: Attacker adoption surges; Behinder and Godzilla introduce encrypted C2 and dual-layer authentication; web shells become primary persistence in commodity and nation-state campaigns alike

Detection impact: Network-based detection ineffective against encrypted shells; process parent-child monitoring becomes essential; parent-child relationship detection begins gaining adoption in EDR and SIEM rules

2013-2019

China Chopper establishes the minimal webshell model; reGeorg adds tunneling

Change: Two-component design (tiny server stub + attacker client) becomes the dominant pattern; HTTP tunneling via reGeorg enables lateral movement through the webshell into internal network segments

Detection impact: File-size-based detection fails against sub-4KB stubs; keyword/signature scanning becomes the primary but insufficient detection method

Raw Log Samples (4 samples — click to expand)

Real-world log events produced by this technique and which sigma rules they trigger.

Sysmon EID 11

Hunt Analyst

ASPX web shell file created in IIS web root by non-deployment process

EventID: 11 (FileCreate)
UtcTime: 2024-09-03 07:14:32.441
ProcessId: 4
Image: System
TargetFilename: C:\inetpub\wwwroot\upload\cmd8473.aspx
CreationUtcTime: 2024-09-03 07:14:32.441
# File created in web root with .aspx extension by SYSTEM/non-deployment process
# Timestamp correlation: shell accessed via HTTP within 60 minutes of this event

Sysmon EID 1

Research Hunt Analyst

cmd.exe spawned by w3wp.exe after HTTP request to the web shell

EventID: 1 (Process Create)
UtcTime: 2024-09-03 07:18:44.113
ProcessId: 7832
Image: C:\Windows\System32\cmd.exe
CommandLine: cmd /c whoami
CurrentDirectory: C:\Windows\system32\
ParentProcessId: 2840
ParentImage: C:\Windows\System32\inetsrv\w3wp.exe
ParentCommandLine: c:\windows\system32\inetsrv\w3wp.exe -ap "DefaultAppPool"
# w3wp.exe → cmd.exe is the canonical IIS web shell execution pattern
# Research rule: any w3wp child; Hunt/Analyst rule: cmd.exe/powershell.exe child

Sysmon EID 1

Hunt Analyst

PowerShell with encoded command spawned by w3wp.exe — encoded web shell execution

EventID: 1 (Process Create)
UtcTime: 2024-09-03 07:19:02.774
ProcessId: 8104
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: powershell.exe -NonInteractive -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkA
ParentProcessId: 2840
ParentImage: C:\Windows\System32\inetsrv\w3wp.exe
# w3wp → powershell.exe with -enc flag = high-confidence Analyst rule signal

Sysmon EID 3

Analyst

Outbound reverse shell / download connection from w3wp.exe child process

EventID: 3 (NetworkConnect)
UtcTime: 2024-09-03 07:19:04.882
ProcessId: 8104
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
User: IIS APPPOOL\DefaultAppPool
Protocol: tcp
Initiated: true
SourceIp: 10.20.1.15
SourcePort: 52741
DestinationIp: 185.220.101.55
DestinationHostname: -
DestinationPort: 4444
# w3wp child process making outbound TCP connection to non-RFC1918 IP on non-standard port

Emulation Script (click to expand)

⚠ Lab use only. Run in isolated lab VM only. Creates a text file (not executable) in a test web directory.

powershell ATT&CK: T1505.003 Simulates web shell file creation, interpreter spawn with recon commands, and outbound connection

POWERSHELL

View on GitHub Download

#Requires -Version 5.1
# MITRE ATT&CK: T1505.003 — Server Software Component: Web Shell
# Simulates web shell write to web root and subsequent command execution via HTTP.

[CmdletBinding()]
param(
    [string]$WebRoot        = (Join-Path $env:TEMP 'wwwroot-emulation'),
    [string]$ShellExtension = '.aspx',
    [switch]$CleanupOnly
)

Set-StrictMode -Version Latest
$ErrorActionPreference = 'Continue'

$ShellName   = "cmd$(Get-Random -Maximum 9999)$ShellExtension"
$ShellPath   = Join-Path $WebRoot $ShellName
$C2Endpoint  = 'https://example.com'

function Write-Step ([string]$Msg) { Write-Host "[*] $Msg" -ForegroundColor Cyan }
function Write-Ok   ([string]$Msg) { Write-Host "[+] $Msg" -ForegroundColor Green }
function Write-Warn ([string]$Msg) { Write-Host "[!] $Msg" -ForegroundColor Yellow }

function Remove-Artefacts {
    if (Test-Path $ShellPath)  { Remove-Item $ShellPath  -Force -ErrorAction SilentlyContinue }
    if (Test-Path $WebRoot -and (Get-ChildItem $WebRoot -ErrorAction SilentlyContinue).Count -eq 0) {
        Remove-Item $WebRoot -Force -ErrorAction SilentlyContinue
    }
    Write-Ok "Artefacts removed"
}

if ($CleanupOnly) { Remove-Artefacts; exit 0 }

Write-Host ""
Write-Host "=== Web Shell Emulation ===" -ForegroundColor Magenta
Write-Host "    T1505.003 | Detection Chokepoints Project" -ForegroundColor DarkGray
Write-Host ""

Write-Step "Step 1/3 — Creating web shell file in web-accessible directory"
Write-Verbose "  Path: $ShellPath"

# Ensure web root exists
if (-not (Test-Path $WebRoot)) {
    New-Item -ItemType Directory -Path $WebRoot -Force | Out-Null
    Write-Ok "Created test web root: $WebRoot"
}

# Write a safe marker file (NOT an executable web shell — just text content)
$ShellContent = @"
<%@ Page Language="C#" %>
<!-- Web Shell Emulation Marker — NOT executable, for detection testing only -->
<!-- Created by Detection Chokepoints emulation script -->
<!-- T1505.003 — File created at: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') -->
<% Response.Write("Detection test"); %>
"@
Set-Content -Path $ShellPath -Value $ShellContent -Encoding UTF8
Write-Ok "Web shell marker created: $ShellPath"
Write-Ok "Sysmon EID 11 generated — extension=$ShellExtension, path contains web root pattern"

Start-Sleep -Milliseconds 400

Write-Step "Step 2/3 — Simulating web server → cmd.exe execution chain"
Write-Verbose "  Real pattern: w3wp.exe → cmd.exe (web server spawns interpreter after HTTP request)"
Write-Verbose "  Simulated:    powershell.exe → cmd.exe (same child process, different parent)"
Write-Verbose "  Note: Hunt/Analyst rules check ParentImage=w3wp.exe specifically"
Write-Verbose "  For w3wp parent: deploy in IIS and access via HTTP (see below)"

# Run recon commands that web shells execute post-exploitation
$reconCommands = @(
    'whoami',
    'hostname',
    'ipconfig /all',
    'net user',
    'net localgroup administrators'
)

foreach ($cmd in $reconCommands) {
    $result = cmd.exe /c $cmd 2>&1 | Select-Object -First 3
    Write-Ok "cmd /c $cmd`: $($result[0])"
}

# Also run an encoded command (Analyst rule trigger)
$encodedPayload = [Convert]::ToBase64String(
    [System.Text.Encoding]::Unicode.GetBytes('Get-ChildItem C:\inetpub\wwwroot -ErrorAction SilentlyContinue')
)
powershell.exe -NonInteractive -NoProfile -EncodedCommand $encodedPayload 2>&1 | Out-Null
Write-Ok "Encoded command executed from cmd context — Analyst rule EID 1 pattern matched"

Start-Sleep -Milliseconds 400

Write-Step "Step 3/3 — Outbound HTTP connection from spawned interpreter"
Write-Verbose "  In real scenario: w3wp.exe child makes outbound connection to C2"

try {
    $resp = Invoke-WebRequest -Uri $C2Endpoint -Method HEAD -TimeoutSec 10 `
        -UseBasicParsing -ErrorAction Stop
    Write-Ok "Outbound connection (HTTP $($resp.StatusCode)) from interpreter — Sysmon EID 3 generated"
} catch {
    Write-Warn "Network request failed (EID 3 may still have fired for the TCP attempt): $_"
}

Write-Host ""
Write-Step "Cleaning up artefacts"
Remove-Artefacts

Write-Host ""
Write-Host "=== Emulation Complete ===" -ForegroundColor Magenta
Write-Host ""
Write-Host "Expected detections:" -ForegroundColor White
Write-Host "  [Research]  Sysmon EID 1 — any child process of web server"                               -ForegroundColor DarkCyan
Write-Host "  [Hunt]      EID 11 ($ShellExtension in web path) + EID 1 (cmd.exe/powershell.exe child)"  -ForegroundColor DarkYellow
Write-Host "  [Analyst]   EID 11 (web shell ext) + EID 1 (-enc or recon cmd) + EID 3 (outbound)"       -ForegroundColor DarkGreen
Write-Host ""
Write-Host "For w3wp.exe parent chain (IIS-specific Hunt/Analyst rules):" -ForegroundColor DarkGray
Write-Host "  1. Install IIS: Enable-WindowsOptionalFeature -Online -FeatureName IIS-WebServer"
Write-Host "  2. Copy shell marker to C:\inetpub\wwwroot\$ShellName"
Write-Host "  3. For ASPX execution: rename to .aspx, enable ASP.NET in IIS"
Write-Host "  4. Use a benign ASPX that runs: Response.Write(new System.Diagnostics.Process(){...}.StandardOutput.ReadToEnd())"
Write-Host "  5. HTTP request to http://localhost/$ShellName generates authentic w3wp.exe → cmd.exe"
Write-Host ""
Write-Host "For Linux (Apache/nginx) parent chain:" -ForegroundColor DarkGray
Write-Host "  Use companion emulate.sh (spawn bash from httpd/nginx context via PHP)"
Write-Host ""

OSINT Sources

Shodan http.title:"WSO" OR http.title:"b374k" OR http.title:"c99" OR http.title:"FilesMan" OR http.title:"Antak Webshell"

Finds internet-exposed web shells with default page titles intact — common in mass exploitation campaigns where attacker cadence outpaces cleanup. FilesMan and Antak are additional shells frequently left exposed. Also try http.html:"eval(base64_decode" to catch obfuscated PHP shells that render without a recognizable title.

URLScan page.title:"WSO" OR filename:shell.php OR filename:webshell.php OR filename:cmd.aspx

Finds recently scanned pages presenting known webshell UI or common shell filenames; useful for tracking active campaign infrastructure and identifying newly deployed shells before cleanup. Add filenames specific to recent campaigns (e.g., human2.aspx for LEMURLOOT/MOVEit).

VirusTotal Intelligence tag:webshell positives:0 type:text

Requires VT Intelligence subscription. Finds webshell samples currently evading all commercial AV detection — the most dangerous variants in active use. Consistent with ShellForge paper (arXiv 2601.22182) finding 93.9% evasion against commercial engines. Sort by submission date to prioritize the newest evasive variants.

Censys services.http.response.body: "eval(base64_decode" and services.http.response.status_code: 200

Finds web servers returning HTTP 200 responses with the eval(base64_decode PHP obfuscation pattern — a near-universal indicator of a live obfuscated PHP shell. High precision; few legitimate pages contain this pattern. Requires Censys account.

Intel Resources

• ShellForge — Adversarial Co-Evolution of Webshell Generation and Detection — January 2026 paper demonstrating adversarially generated webshells achieve 93.9% evasion rate against VirusTotal commercial engines; validates behavioral (process-creation) detection over file-content scanning; documents invariant functional requirements that survive all obfuscation
• NSA/ASD — Detect and Prevent Web Shell Malware — Foundational April 2020 joint advisory with detection guidance, Splunk queries, Snort rules, and file integrity monitoring recommendations; establishes process parent-child monitoring as the primary behavioral detection approach
• Microsoft — IIS Modules: The Evolution of Web Shells and How to Detect Them — Documents the 2022 shift to fileless IIS native module webshells that bypass file-based detection; explains why w3wp.exe process behavior monitoring remains effective even against DLL-based shells
• MITRE ATT&CK — T1505.003 Server Software Component: Web Shell — Primary technique definition with procedure examples linking to documented threat actor usage; extensive list of APT groups and ransomware operators observed deploying web shells as persistence mechanism
• Microsoft — Web Shell Attacks Continue to Rise — Documents the doubling of web shell detections in 2020-2021; includes monthly detection data and attack vector analysis; establishes process creation monitoring as the most reliable detection approach

Related Chokepoints

Remote Execution Tools (HackTools) HIGH EDR Bypass Techniques CRITICAL