Home
SIEM use cases
Threats
Web shell installation

How to detect web shell installation

In this page

Understanding the threat

A web shell is a malicious script or program, often written in languages like PHP, ASP.NET, or JSP, that an attacker uploads to a compromised web server. Once installed, it provides a persistent remote interface for executing commands, navigating the file system, and exfiltrating data. Web shells are particularly dangerous because they allow attackers to bypass standard authentication and maintain long-term access by hiding within legitimate web directories.

For enterprises, web shells represent a critical breach of the application layer. They serve as a primary "beachhead" for lateral movement, allowing attackers to pivot from a public-facing server into the internal network, often leading to full environment compromise or ransomware deployment.

Relevant MITRE ATT&CK® mapping

This use case maps to the Persistence and Server Software Component tactics:

TA0003 - Persistence: T1505.003 - Server Software Component: Web Shell: Adversaries may install web shells to maintain persistent access to interactive command-line utilities on a compromised web server.

Scenario

What went wrong

The security team noticed an unusual spike in outbound traffic originating from its primary customer-facing web server. Upon investigation, the team discovered that an attacker had exploited a known unpatched vulnerability in the web application's file upload component. This allowed the attacker to upload a PHP-based web shell into the /images/ directory.

Because the server’s file integrity monitoring was only configured for system binaries and not the web root, the addition of the new script went unnoticed. Furthermore, the web server process was running with excessive privileges, allowing the shell to execute system-level commands. The breach was only detected after the attacker began exfiltrating sensitive database backups via an encrypted tunnel, which finally triggered a generic network anomaly alert.

How web shell installation monitoring helps

Web shell installation monitoring provides proactive defense by focusing on the point of entry and execution. It involves:

File integrity monitoring: By monitoring web directories for the creation of new files or modification of existing scripts, organizations can catch the upload phase of the attack in real time.
Process execution analysis: It identifies suspicious child processes spawned by web server services (like cmd.exe or /bin/sh originating from w3wp.exe or apache2), which is a definitive indicator of web shell activity.

Real-world trends

Exploitation of zero-day vulnerabilities: Modern threat actors, including state-sponsored groups, increasingly use web shells as the immediate follow-up to exploiting zero-day vulnerabilities in popular enterprise software (e.g., Microsoft Exchange or MOVEit) to ensure persistence before patches are applied.
Living-off-the-land integration: Web shells are evolving to be more fileless or highly obfuscated, using built-in system tools and legitimate administrative scripts to carry out commands, making them harder for traditional signature-based antivirus solutions to detect.