Try it using Invoke-Atomic

Server Software Component: Web Shell

Description from ATT&CK

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)

In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. China Chopper Web shell client).(Citation: Lee 2013)

Atomic Tests

Atomic Test #1 - Web Shell Written to Disk

This test simulates an adversary leveraging Web Shells by simulating the file modification to disk. Idea from APTSimulator. cmd.aspx source -

Supported Platforms: windows

auto_generated_guid: 0a2ce662-1efa-496f-a472-2fe7b080db16


Name Description Type Default Value
web_shell_path The path to drop the web shell string C:\inetpub\wwwroot
web_shells Path of Web Shell path PathToAtomicsFolder\T1505.003\src

Attack Commands: Run with command_prompt!

xcopy /I /Y "#{web_shells}" #{web_shell_path}

Cleanup Commands:

del #{web_shell_path}\b.jsp /q >nul 2>&1
del #{web_shell_path}\tests.jsp /q >nul 2>&1
del #{web_shell_path}\cmd.aspx /q >nul 2>&1

Dependencies: Run with powershell!

Description: Web shell must exist on disk at specified location (#{web_shells})

Check Prereq Commands:

if (Test-Path "#{web_shells}") {exit 0} else {exit 1}

Get Prereq Commands:

New-Item -Type Directory "#{web_shells}" -ErrorAction ignore | Out-Null
Invoke-WebRequest "" -OutFile "#{web_shells}/b.jsp"
Invoke-WebRequest "" -OutFile "#{web_shells}/tests.jsp"
Invoke-WebRequest "" -OutFile "#{web_shells}/cmd.aspx"