Detect Shared Webroot in Microsoft Sentinel
Adversaries may add malicious content to an internally accessible website through an open network file share that contains the website's webroot or web content directory. By writing a malicious script (PHP, ASPX, JSP, etc.) to the shared webroot and then browsing to it, the adversary causes the web server process to execute the content — typically resulting in a webshell. This technique enables lateral movement to the system running the web server, as the code runs under the web server process context (IIS, Apache, nginx) which may have local system or administrative privileges. The attack chain: (1) discover open share pointing to webroot, (2) write malicious web script via SMB, (3) trigger execution via HTTP request. This technique has been deprecated by MITRE but the underlying behavior remains operationally relevant as a webshell deployment vector.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Canonical reference
- https://attack.mitre.org/techniques/T1051/
KQL Detection Query
let WebRootPaths = dynamic([
"\\inetpub\\wwwroot\\",
"\\inetpub\\wwwroot",
"\\xampp\\htdocs\\",
"\\wamp\\www\\",
"\\wamp64\\www\\",
"\\Apache24\\htdocs\\",
"\\nginx\\html\\",
"\\tomcat\\webapps\\",
"\\jetty\\webapps\\",
"\\www\\html\\",
"\\web\\wwwroot\\"
]);
let WebScriptExtensions = dynamic([
".php", ".php5", ".php7", ".phtml",
".asp", ".aspx", ".ashx", ".asmx",
".jsp", ".jspx",
".cfm", ".cfml",
".pl", ".cgi",
".shtml"
]);
let WebServerProcesses = dynamic([
"w3wp.exe", "httpd.exe", "nginx.exe",
"php.exe", "php-cgi.exe", "php-win.exe",
"tomcat.exe", "tomcat9.exe", "java.exe",
"iisexpress.exe", "UMWorkerProcess.exe"
]);
// Branch 1: Script files written to known web root directories
let WebRootFileDrops = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FolderPath has_any (WebRootPaths)
| where FileName has_any (WebScriptExtensions)
| where not (InitiatingProcessFileName in~ ("w3wp.exe", "httpd.exe", "nginx.exe",
"MicrosoftEdgeUpdate.exe", "msiexec.exe", "TrustedInstaller.exe"))
| extend DetectionBranch = "WebRootFileDrop"
| project Timestamp, DeviceName, AccountName, ActionType,
FolderPath, FileName, InitiatingProcessFileName,
InitiatingProcessCommandLine, InitiatingProcessAccountName,
DetectionBranch;
// Branch 2: Web server process spawning suspicious child processes (webshell execution)
let WebShellExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (WebServerProcesses)
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe",
"cscript.exe", "mshta.exe", "net.exe", "net1.exe",
"whoami.exe", "ipconfig.exe", "systeminfo.exe",
"nltest.exe", "certutil.exe", "bitsadmin.exe",
"rundll32.exe", "regsvr32.exe", "msiexec.exe")
| extend DetectionBranch = "WebShellChildProcess"
| project Timestamp, DeviceName, AccountName, FileName,
ProcessCommandLine, InitiatingProcessFileName,
InitiatingProcessCommandLine, InitiatingProcessAccountName,
DetectionBranch;
// Union both branches
WebRootFileDrops
| union WebShellExecution
| sort by Timestamp descDetects shared webroot abuse via two complementary branches. Branch 1 monitors DeviceFileEvents for web script files (PHP, ASPX, JSP, ASP, etc.) written to known webroot directories by non-web-server processes — the file drop phase of the attack. Branch 2 monitors DeviceProcessEvents for web server processes (w3wp.exe, httpd.exe, php-cgi.exe, etc.) spawning command interpreters or reconnaissance utilities — the execution phase indicating a webshell was triggered. Together, these branches cover the full attack lifecycle: write via network share, then browse to execute.
Data Sources
Required Tables
False Positives & Tuning
- Web developers deploying code directly to a local development server's webroot via IDE or build tool processes
- Deployment pipelines (Jenkins, Octopus Deploy, Azure DevOps agents) writing application files to IIS or Apache webroots
- CMS platforms (WordPress, Drupal, Joomla) that write PHP files as part of plugin installation — w3wp.exe or php.exe creating child PHP files is expected
- Web application frameworks that compile views or generate dynamic ASPX handlers at runtime
- IIS application pool worker processes launching legitimate monitoring scripts (health check endpoints that exec system commands)
- Apache/nginx spawning CGI scripts as part of expected application behavior (e.g., Nagios NRPE, Cacti)
Other platforms for T1051
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Drop PHP Webshell via SMB Network Share to Webroot
Expected signal: Windows Security Event ID 5140: Network share \\TARGET_WEBSERVER\wwwroot accessed from source workstation. Windows Security Event ID 4624: Network logon (Type 3) to TARGET_WEBSERVER using webadmin credentials. Sysmon Event ID 11 on TARGET_WEBSERVER: FileCreate for df00tech-test-shell.php in C:\inetpub\wwwroot\, InitiatingProcess will be System (SMB kernel write). DeviceFileEvents on TARGET_WEBSERVER: FileCreated for df00tech-test-shell.php with folder path containing wwwroot.
- Test 2Trigger Webshell Execution via HTTP GET Request
Expected signal: Sysmon Event ID 1 on TARGET_WEBSERVER: Process Create where ParentImage is php-cgi.exe (or w3wp.exe for ASPX), Image is cmd.exe or whoami.exe, CommandLine contains 'whoami'. DeviceProcessEvents: InitiatingProcessFileName=php-cgi.exe spawning FileName=cmd.exe. IIS access log entry for GET /df00tech-test-shell.php with query string cmd=whoami, HTTP 200 response.
- Test 3Drop ASPX Webshell to IIS Webroot via Local File Copy
Expected signal: Sysmon Event ID 11: FileCreate for df00tech-test-shell.aspx in C:\inetpub\wwwroot\, InitiatingProcess=cmd.exe. DeviceFileEvents: FileCreated, FileName=df00tech-test-shell.aspx, FolderPath=C:\inetpub\wwwroot\, InitiatingProcessFileName=cmd.exe. Security Event ID 4663 if object-level SACL auditing is configured on the wwwroot directory.
- Test 4Enumerate Accessible Webroot Network Shares
Expected signal: Windows Security Event ID 5140 on TARGET_WEBSERVER: Network share \\TARGET_WEBSERVER\wwwroot accessed. Windows Security Event ID 5156: Windows Filtering Platform allowed inbound connection on port 445. Sysmon Event ID 3 on attacker host: outbound network connection to TARGET_WEBSERVER:445. Windows Security Event ID 4624: Type 3 (Network) logon to TARGET_WEBSERVER.
- Test 5PHP File Drop Simulating CMS Plugin Install Gone Wrong
Expected signal: Sysmon Event ID 11: FileCreate for df00tech-update.php in C:\inetpub\wwwroot\uploads\, InitiatingProcess=powershell.exe. DeviceFileEvents: FileCreated, FileName=df00tech-update.php, FolderPath=C:\inetpub\wwwroot\uploads\, InitiatingProcessFileName=powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with Set-Content command writing PHP content.
References (10)
- https://attack.mitre.org/techniques/T1051/
- https://www.webroot.com/blog/2011/02/22/malicious-php-scripts-on-the-rise/
- http://httpd.apache.org/docs/2.4/getting-started.html#content
- https://capec.mitre.org/data/definitions/563.html
- https://learn.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140
- https://www.sans.org/reading-room/whitepapers/webserv/detecting-web-shells-33156
- https://www.cisa.gov/news-events/alerts/2021/02/10/cisa-er21-02-01-remediating-microsoft-exchange-vulnerabilities
Unlock Pro Content
Get the full detection package for T1051 including response playbook, investigation guide, and atomic red team tests.