T1051 IBM QRadar · QRadar

Detect Shared Webroot in IBM QRadar

Adversaries may add malicious content to an internally accessible website through an open network file share that contains the website's webroot or web content directory. By writing a malicious script (PHP, ASPX, JSP, etc.) to the shared webroot and then browsing to it, the adversary causes the web server process to execute the content — typically resulting in a webshell. This technique enables lateral movement to the system running the web server, as the code runs under the web server process context (IIS, Apache, nginx) which may have local system or administrative privileges. The attack chain: (1) discover open share pointing to webroot, (2) write malicious web script via SMB, (3) trigger execution via HTTP request. This technique has been deprecated by MITRE but the underlying behavior remains operationally relevant as a webshell deployment vector.

MITRE ATT&CK

Tactic
Lateral Movement
Canonical reference
https://attack.mitre.org/techniques/T1051/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS Category,
  username AS Actor,
  eventid,
  "TargetFilename" AS TargetFile,
  "Image" AS ChildProcess,
  "ParentImage" AS ParentProcess,
  "CommandLine" AS CommandLine,
  "ShareName" AS ShareName,
  CASE
    WHEN eventid = 11 THEN 'WebRootFileDrop'
    WHEN eventid = 1  THEN 'WebShellChildProcess'
    WHEN eventid = 5140 THEN 'WebRootShareAccess'
    ELSE 'Unknown'
  END AS DetectionBranch
FROM events
WHERE
  devicetime > NOW() - 86400000
  AND (
    logsourcename(logsourceid) ILIKE '%sysmon%'
    OR logsourcename(logsourceid) ILIKE '%windows security%'
    OR LOGSOURCETYPEID(logsourceid) IN (73, 260)
  )
  AND (
    -- Branch 1: Sysmon EID 11 - File creation in webroot with script extension
    (
      eventid = 11
      AND (
        "TargetFilename" ILIKE '%\\inetpub\\wwwroot\\%'
        OR "TargetFilename" ILIKE '%\\xampp\\htdocs\\%'
        OR "TargetFilename" ILIKE '%\\wamp\\www\\%'
        OR "TargetFilename" ILIKE '%\\wamp64\\www\\%'
        OR "TargetFilename" ILIKE '%\\Apache24\\htdocs\\%'
        OR "TargetFilename" ILIKE '%\\nginx\\html\\%'
        OR "TargetFilename" ILIKE '%\\tomcat\\webapps\\%'
        OR "TargetFilename" ILIKE '%\\www\\html\\%'
      )
      AND (
        "TargetFilename" ILIKE '%.php'
        OR "TargetFilename" ILIKE '%.php5'
        OR "TargetFilename" ILIKE '%.phtml'
        OR "TargetFilename" ILIKE '%.asp'
        OR "TargetFilename" ILIKE '%.aspx'
        OR "TargetFilename" ILIKE '%.ashx'
        OR "TargetFilename" ILIKE '%.jsp'
        OR "TargetFilename" ILIKE '%.jspx'
        OR "TargetFilename" ILIKE '%.cfm'
        OR "TargetFilename" ILIKE '%.cgi'
        OR "TargetFilename" ILIKE '%.shtml'
      )
    )
    OR
    -- Branch 2: Sysmon EID 1 - Web server spawning suspicious child process
    (
      eventid = 1
      AND (
        "ParentImage" ILIKE '%\\w3wp.exe'
        OR "ParentImage" ILIKE '%\\httpd.exe'
        OR "ParentImage" ILIKE '%\\nginx.exe'
        OR "ParentImage" ILIKE '%\\php-cgi.exe'
        OR "ParentImage" ILIKE '%\\php-win.exe'
        OR "ParentImage" ILIKE '%\\java.exe'
        OR "ParentImage" ILIKE '%\\iisexpress.exe'
        OR "ParentImage" ILIKE '%tomcat%.exe'
      )
      AND (
        "Image" ILIKE '%\\cmd.exe'
        OR "Image" ILIKE '%\\powershell.exe'
        OR "Image" ILIKE '%\\pwsh.exe'
        OR "Image" ILIKE '%\\wscript.exe'
        OR "Image" ILIKE '%\\cscript.exe'
        OR "Image" ILIKE '%\\mshta.exe'
        OR "Image" ILIKE '%\\net.exe'
        OR "Image" ILIKE '%\\net1.exe'
        OR "Image" ILIKE '%\\whoami.exe'
        OR "Image" ILIKE '%\\ipconfig.exe'
        OR "Image" ILIKE '%\\systeminfo.exe'
        OR "Image" ILIKE '%\\nltest.exe'
        OR "Image" ILIKE '%\\certutil.exe'
        OR "Image" ILIKE '%\\bitsadmin.exe'
        OR "Image" ILIKE '%\\rundll32.exe'
        OR "Image" ILIKE '%\\regsvr32.exe'
      )
    )
    OR
    -- Branch 3: Security EID 5140 - SMB share access to webroot share
    (
      eventid = 5140
      AND (
        "ShareName" ILIKE '%wwwroot%'
        OR "ShareName" ILIKE '%htdocs%'
        OR "ShareName" ILIKE '%webroot%'
        OR "ShareName" ILIKE '%webapps%'
      )
    )
  )
ORDER BY devicetime DESC
high severity medium confidence

Three-branch AQL detection for T1051 Shared Webroot targeting QRadar environments with Sysmon and Windows Security Event Log sources. Branch 1 uses Sysmon EventID 11 (FileCreate) to detect web-script files dropped into known webroot directories. Branch 2 uses Sysmon EventID 1 (ProcessCreate) to detect web server processes (w3wp.exe, httpd.exe, nginx.exe, java.exe/Tomcat) spawning interpreter or reconnaissance utilities indicative of webshell execution. Branch 3 uses Windows Security EventID 5140 (Network Share Object Accessed) to detect SMB access to shares named after common webroot paths. Requires Sysmon custom properties (TargetFilename, Image, ParentImage, CommandLine, ShareName) to be parsed as QRadar custom properties or via DSM extension.

Data Sources

Microsoft Windows Security Event Log (QRadar LOGSOURCETYPEID 73)Sysmon via Windows Event Log (QRadar LOGSOURCETYPEID 260)

Required Tables

events

False Positives & Tuning

  • Legitimate SMB-based deployment tools writing application files to webroot shares — EventID 5140 will fire on any authenticated access to a share whose name contains 'wwwroot' regardless of write intent; correlate with a subsequent EventID 4663 (file write) to reduce noise
  • Scheduled maintenance scripts running under service accounts that periodically update CMS plugin files in the webroot — tune by whitelisting known deployer account SIDs and scheduled maintenance windows
  • Java application servers (Tomcat, JBoss) legitimately spawning child java.exe processes for JSP compilation or scheduled tasks — the Parent/Child java→java pattern is benign; focus detection on java.exe spawning cmd.exe or PowerShell specifically
Download portable Sigma rule (.yml)

Other platforms for T1051

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Drop PHP Webshell via SMB Network Share to Webroot

    Expected signal: Windows Security Event ID 5140: Network share \\TARGET_WEBSERVER\wwwroot accessed from source workstation. Windows Security Event ID 4624: Network logon (Type 3) to TARGET_WEBSERVER using webadmin credentials. Sysmon Event ID 11 on TARGET_WEBSERVER: FileCreate for df00tech-test-shell.php in C:\inetpub\wwwroot\, InitiatingProcess will be System (SMB kernel write). DeviceFileEvents on TARGET_WEBSERVER: FileCreated for df00tech-test-shell.php with folder path containing wwwroot.

  2. Test 2Trigger Webshell Execution via HTTP GET Request

    Expected signal: Sysmon Event ID 1 on TARGET_WEBSERVER: Process Create where ParentImage is php-cgi.exe (or w3wp.exe for ASPX), Image is cmd.exe or whoami.exe, CommandLine contains 'whoami'. DeviceProcessEvents: InitiatingProcessFileName=php-cgi.exe spawning FileName=cmd.exe. IIS access log entry for GET /df00tech-test-shell.php with query string cmd=whoami, HTTP 200 response.

  3. Test 3Drop ASPX Webshell to IIS Webroot via Local File Copy

    Expected signal: Sysmon Event ID 11: FileCreate for df00tech-test-shell.aspx in C:\inetpub\wwwroot\, InitiatingProcess=cmd.exe. DeviceFileEvents: FileCreated, FileName=df00tech-test-shell.aspx, FolderPath=C:\inetpub\wwwroot\, InitiatingProcessFileName=cmd.exe. Security Event ID 4663 if object-level SACL auditing is configured on the wwwroot directory.

  4. Test 4Enumerate Accessible Webroot Network Shares

    Expected signal: Windows Security Event ID 5140 on TARGET_WEBSERVER: Network share \\TARGET_WEBSERVER\wwwroot accessed. Windows Security Event ID 5156: Windows Filtering Platform allowed inbound connection on port 445. Sysmon Event ID 3 on attacker host: outbound network connection to TARGET_WEBSERVER:445. Windows Security Event ID 4624: Type 3 (Network) logon to TARGET_WEBSERVER.

  5. Test 5PHP File Drop Simulating CMS Plugin Install Gone Wrong

    Expected signal: Sysmon Event ID 11: FileCreate for df00tech-update.php in C:\inetpub\wwwroot\uploads\, InitiatingProcess=powershell.exe. DeviceFileEvents: FileCreated, FileName=df00tech-update.php, FolderPath=C:\inetpub\wwwroot\uploads\, InitiatingProcessFileName=powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with Set-Content command writing PHP content.

Last updated: 2026-04-17 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1051 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1505.003Web ShellT1021.002SMB/Windows Admin SharesT1080Taint Shared ContentT1505Server Software ComponentT1190Exploit Public-Facing ApplicationT1078Valid AccountsT1560Archive Collected DataT1071.001Web ProtocolsT1059.004Unix Shell

Same Tactic: Lateral Movement

Popular Detections