T1505.003

Web Shell

Adversaries install web shells on compromised web servers to maintain persistent access. A web shell is a script (PHP, ASP, ASPX, JSP, etc.) that provides command execution, file upload/download, and network proxying capabilities via HTTP. Web shells are used by dozens of threat groups including APT28, APT39, HAFNIUM, OilRig, GALLIUM, and Sandworm. China Chopper and P.A.S. Webshell are widely-used examples. IcedID, WIREFIRE, and BUSHWALK target specific appliances (Ivanti VPN).

Microsoft Sentinel / Defender

kusto

// T1505.003 — Web Shell detection
// Web shells executed via web server processes spawning OS commands
// Part 1: Detect web server processes spawning shells/utilities (primary web shell signal)
let WebServerProcesses = dynamic(["w3wp.exe", "httpd.exe", "nginx.exe", "php.exe",
                                   "php-cgi.exe", "tomcat.exe", "catalina.exe",
                                   "java.exe", "javaw.exe", "wsgi.py"]);
let SuspiciousChildren = dynamic(["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
                                   "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
                                   "bitsadmin.exe", "msiexec.exe", "whoami.exe", "net.exe",
                                   "net1.exe", "ipconfig.exe", "systeminfo.exe", "wmic.exe",
                                   "nltest.exe", "netstat.exe", "ping.exe", "nslookup.exe"]);
let WebShellSpawn = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (WebServerProcesses)
| where FileName has_any (SuspiciousChildren)
| extend DetectionType = "WebServer_Shell_Spawn"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect suspicious script files written to web directories
let WebDirPaths = dynamic(["\\inetpub\\", "\\wwwroot\\", "\\htdocs\\",
                            "\\www\\", "\\public_html\\", "\\webapps\\"]);
let WebShellExtensions = dynamic([".asp", ".aspx", ".ashx", ".asmx",
                                   ".php", ".jsp", ".jspx", ".cfm", ".shtml"]);
let WebShellDrop = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (WebDirPaths)
| where FileName has_any (WebShellExtensions)
| where InitiatingProcessFileName !in~ ("w3wp.exe", "httpd.exe", "nginx.exe", "php.exe")
| extend DetectionType = "WebShell_File_Drop"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 3: Detect web shell pattern in IIS logs via network connections from w3wp.exe
let WebShellNetwork = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("w3wp.exe", "php.exe", "php-cgi.exe", "httpd.exe")
| where RemoteIPType == "Public"
| where RemotePort !in (80, 443, 8080, 8443)
| extend DetectionType = "WebServer_External_Connection"
| project Timestamp, DeviceName, AccountName, RemoteIP, RemotePort,
          InitiatingProcessFileName, DetectionType;
union WebShellSpawn, WebShellDrop, WebShellNetwork
| sort by Timestamp desc

critical severity high confidence

Data Sources

Process: Process Creation File: File Creation Network Traffic: Network Connection Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents DeviceNetworkEvents

False Positives

IIS application pools that legitimately use cmd.exe for application integration (rare but exists in legacy systems)
PHP or JSP applications that use exec() or shell_exec() for legitimate system operations (image processing, file conversion)
Legitimate web deployment pipelines (CI/CD) that write files to web directories as part of automated deployment
System administration scripts that run under the IIS application pool identity for configuration management

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval detection_type=case(
    EventCode=1 AND
      match(ParentImage, "(?i)(w3wp|httpd|nginx|php|php-cgi|tomcat|catalina|java|javaw)\.exe") AND
      match(Image, "(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|whoami|net|ipconfig|systeminfo|wmic|nltest|netstat|ping|nslookup)\.exe"),
      "WebServer_Spawned_Shell",
    EventCode=11 AND
      match(TargetFilename, "(?i)(\\\\inetpub|\\\\wwwroot|\\\\htdocs|\\\\www|\\\\webapps)") AND
      match(TargetFilename, "(?i)\\.(asp|aspx|ashx|asmx|php|jsp|jspx|cfm|shtml)$") AND
      NOT match(Image, "(?i)(w3wp|httpd|nginx|php|deploy|publish)\.exe"),
      "WebShell_File_Drop",
    EventCode=3 AND
      match(Image, "(?i)(w3wp|php|php-cgi|httpd)\.exe") AND
      NOT match(DestinationIp, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)") AND
      NOT (DestinationPort=80 OR DestinationPort=443 OR DestinationPort=8080 OR DestinationPort=8443),
      "WebServer_External_Connection",
    true(), null()
  )
| where isnotnull(detection_type)
| eval risk_score=case(
    detection_type="WebServer_Spawned_Shell", 10,
    detection_type="WebShell_File_Drop", 8,
    detection_type="WebServer_External_Connection", 7,
    true(), 5
  )
| table _time, host, User, detection_type, risk_score, Image, CommandLine, TargetFilename,
        DestinationIp, DestinationPort, ParentImage
| sort - risk_score, - _time

critical severity high confidence

Data Sources

Process: Process Creation File: File Creation Network Traffic: Network Connection Sysmon Event ID 1, 3, 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legacy web applications running under IIS that legitimately spawn cmd.exe for system integration
Legitimate file upload functionality writing script files to web directories (requires tuning by file path and initiating process)
CI/CD deployment pipelines writing application files including .php/.aspx to web roots

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start"
   and process.parent.name : ("w3wp.exe", "httpd", "nginx", "php", "php-cgi", "php-fpm", "tomcat", "catalina.sh", "java", "javaw.exe", "uwsgi", "gunicorn")
   and process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe",
                        "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe",
                        "whoami.exe", "net.exe", "net1.exe", "ipconfig.exe", "systeminfo.exe",
                        "wmic.exe", "nltest.exe", "netstat.exe", "ping.exe", "nslookup.exe",
                        "sh", "bash", "dash", "python", "python3", "perl", "ruby", "wget", "curl")]
  [any where true]

OR

file where event.action in ("creation", "overwrite")
  and file.path : ("*/inetpub/*", "*/wwwroot/*", "*/htdocs/*", "*/www/*", "*/public_html/*", "*/webapps/*", "*/var/www/*")
  and file.extension : ("asp", "aspx", "ashx", "asmx", "php", "jsp", "jspx", "cfm", "shtml", "phtml", "php5", "php7")
  and not process.name : ("w3wp.exe", "httpd", "nginx", "php", "deploy", "publish", "msdeploy.exe", "devenv.exe")

OR

network where event.type == "start"
  and process.name : ("w3wp.exe", "php.exe", "php-cgi.exe", "php-fpm", "httpd", "nginx", "java", "javaw.exe")
  and not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "::1/128")
  and not destination.port in (80, 443, 8080, 8443, 8000, 8888)

critical severity high confidence

Data Sources

Elastic Endpoint Security Auditbeat Winlogbeat with Sysmon Filebeat (IIS/Apache/Nginx access logs)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* logs-endpoint.events.network-* winlogbeat-*

False Positives

Legitimate web application deployments via CI/CD pipelines that copy script files to web directories (e.g., deploying PHP or ASP.NET apps via MSBuild, WebDeploy, or Ansible)
Web server processes that legitimately spawn Java or Python subprocesses as part of application functionality (e.g., Tomcat executing utility scripts, Django management commands)
Security scanners or vulnerability assessment tools that intentionally probe web directories and may trigger file creation events during authenticated scanning sessions

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip,
  username,
  "ParentProcessPath",
  "ProcessPath",
  "CommandLine",
  "FileName",
  "FilePath",
  destinationip,
  destinationport,
  CASE
    WHEN QIDNAME(qid) LIKE '%Process Create%'
      AND ("ParentProcessPath" ILIKE '%w3wp.exe%' OR "ParentProcessPath" ILIKE '%httpd%'
           OR "ParentProcessPath" ILIKE '%nginx%' OR "ParentProcessPath" ILIKE '%php%'
           OR "ParentProcessPath" ILIKE '%tomcat%' OR "ParentProcessPath" ILIKE '%java%')
      AND ("ProcessPath" ILIKE '%cmd.exe%' OR "ProcessPath" ILIKE '%powershell.exe%'
           OR "ProcessPath" ILIKE '%wscript.exe%' OR "ProcessPath" ILIKE '%cscript.exe%'
           OR "ProcessPath" ILIKE '%whoami.exe%' OR "ProcessPath" ILIKE '%net.exe%'
           OR "ProcessPath" ILIKE '%systeminfo.exe%' OR "ProcessPath" ILIKE '%wmic.exe%'
           OR "ProcessPath" ILIKE '%certutil.exe%' OR "ProcessPath" ILIKE '%bitsadmin.exe%'
           OR "ProcessPath" ILIKE '%nltest.exe%' OR "ProcessPath" ILIKE '%mshta.exe%')
      THEN 'WebServer_Spawned_Shell'
    WHEN QIDNAME(qid) LIKE '%File Created%'
      AND ("FilePath" ILIKE '%\inetpub\%' OR "FilePath" ILIKE '%\wwwroot\%'
           OR "FilePath" ILIKE '%\htdocs\%' OR "FilePath" ILIKE '%\webapps\%'
           OR "FilePath" ILIKE '%/var/www/%' OR "FilePath" ILIKE '%/public_html/%')
      AND ("FileName" ILIKE '%.asp' OR "FileName" ILIKE '%.aspx' OR "FileName" ILIKE '%.ashx'
           OR "FileName" ILIKE '%.php' OR "FileName" ILIKE '%.jsp' OR "FileName" ILIKE '%.jspx'
           OR "FileName" ILIKE '%.cfm' OR "FileName" ILIKE '%.shtml')
      AND NOT ("ProcessPath" ILIKE '%w3wp.exe%' OR "ProcessPath" ILIKE '%httpd%'
               OR "ProcessPath" ILIKE '%nginx%' OR "ProcessPath" ILIKE '%msdeploy%')
      THEN 'WebShell_File_Drop'
    WHEN QIDNAME(qid) LIKE '%Network Connection%'
      AND ("ProcessPath" ILIKE '%w3wp.exe%' OR "ProcessPath" ILIKE '%php%'
           OR "ProcessPath" ILIKE '%httpd%' OR "ProcessPath" ILIKE '%nginx%')
      AND NOT (INCIDR(destinationip, '10.0.0.0/8')
               OR INCIDR(destinationip, '172.16.0.0/12')
               OR INCIDR(destinationip, '192.168.0.0/16')
               OR INCIDR(destinationip, '127.0.0.0/8'))
      AND destinationport NOT IN (80, 443, 8080, 8443)
      THEN 'WebServer_External_Connection'
    ELSE NULL
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 40, 143, 382)
  AND starttime > NOW() - 86400 SECONDS
  AND detection_type IS NOT NULL
ORDER BY starttime DESC

critical severity medium confidence

Data Sources

QRadar Sysmon DSM (LOGSOURCETYPEID 382) Microsoft Windows Security Event Log DSM QRadar WinCollect Agent IBM QRadar SIEM

Required Tables

events

False Positives

Automated deployment pipelines where build agents run as or invoke web server processes to copy application files to web directories during release automation
Java-based application servers (JBoss, WebLogic, WebSphere) that legitimately spawn Java child processes or helper utilities as part of normal application operation
Web application firewalls or monitoring agents that run as w3wp.exe child processes and initiate outbound connections to SIEM collectors or threat intelligence feeds on non-standard ports

Sumo Logic CSE

sql

// Web Shell Detection — T1505.003
// Branch 1: Web server spawning command interpreters (Sysmon EventCode 1)
(_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*)
| parse "EventCode=*" as event_code nodrop
| parse "ParentImage=*\n" as parent_image nodrop
| parse "Image=*\n" as process_image nodrop
| parse "CommandLine=*\n" as command_line nodrop
| parse "Computer=*\n" as host nodrop
| parse "User=*\n" as username nodrop
| where event_code = "1"
| where parent_image matches /(w3wp|httpd|nginx|php|php-cgi|tomcat|catalina|java|javaw)\.exe/
| where process_image matches /(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|whoami|net|ipconfig|systeminfo|wmic|nltest|netstat|ping|nslookup)\.exe/
| "WebServer_Spawned_Shell" as detection_type
| 10 as risk_score
| fields _messagetime, host, username, parent_image, process_image, command_line, detection_type, risk_score

// Branch 2: Web shell file drop (Sysmon EventCode 11)
// Run separately and union results
(_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*)
| parse "EventCode=*" as event_code nodrop
| parse "TargetFilename=*\n" as target_filename nodrop
| parse "Image=*\n" as process_image nodrop
| parse "Computer=*\n" as host nodrop
| parse "User=*\n" as username nodrop
| where event_code = "11"
| where target_filename matches /(\\inetpub\\|\\wwwroot\\|\\htdocs\\|\\www\\|\\webapps\\|\/var\/www\/|\/public_html\/)/
| where target_filename matches /\.(asp|aspx|ashx|asmx|php|php5|jsp|jspx|cfm|shtml|phtml)$/
| where !(process_image matches /(w3wp|httpd|nginx|php|msdeploy|deploy|devenv)\.exe/)
| "WebShell_File_Drop" as detection_type
| 8 as risk_score
| fields _messagetime, host, username, process_image, target_filename, detection_type, risk_score

// Branch 3: Web server external network connection (Sysmon EventCode 3)
(_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*)
| parse "EventCode=*" as event_code nodrop
| parse "Image=*\n" as process_image nodrop
| parse "DestinationIp=*\n" as dest_ip nodrop
| parse "DestinationPort=*\n" as dest_port nodrop
| parse "Computer=*\n" as host nodrop
| parse "User=*\n" as username nodrop
| where event_code = "3"
| where process_image matches /(w3wp|php|php-cgi|httpd|nginx)\.exe/
| where !(dest_ip matches /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/)
| where dest_port != "80" and dest_port != "443" and dest_port != "8080" and dest_port != "8443"
| "WebServer_External_Connection" as detection_type
| 7 as risk_score
| fields _messagetime, host, username, process_image, dest_ip, dest_port, detection_type, risk_score

critical severity high confidence

Data Sources

Sumo Logic Windows Collector with Sysmon Sumo Logic Installed Collector (Windows) Sumo Logic Cloud SIEM Enterprise

Required Tables

_sourceCategory=*windows*sysmon* _sourceCategory=*endpoint*

False Positives

Content management systems (WordPress, Drupal, Joomla) that write PHP plugin or theme files to web directories during legitimate plugin installation or auto-update processes
Development web servers where developers actively write and test PHP/ASP scripts directly in the web root through IDE integrations or FTP/SFTP clients
Load balancer health check mechanisms or APM agents that run as web server child processes and make outbound connections to monitoring infrastructure on non-standard ports

Google Chronicle / SecOps

yaral

rule webshell_t1505_003 {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects web shell installation and execution via web server process anomalies: command interpreter spawning, script file drops to web directories, and unexpected outbound connections from web server processes"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1505.003"
    severity = "CRITICAL"
    priority = "HIGH"
    platform = "Windows, Linux"
    false_positives = "CI/CD deployments, legitimate app server subprocess execution"
    version = "1.0"
    created = "2026-04-21"

  events:
    // Branch 1: Web server spawning shell/utility processes
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.principal.process.file.full_path, `(?i)(w3wp|httpd|nginx|php|php-cgi|php-fpm|tomcat|catalina|java|javaw)\.exe`) or
        re.regex($e1.target.process.parent_process.file.full_path, `(?i)(w3wp|httpd|nginx|php|php-cgi|php-fpm|tomcat|catalina|java|javaw)\.exe`)
      )
      and re.regex($e1.target.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|whoami|net|ipconfig|systeminfo|wmic|nltest|netstat|ping|nslookup)\.exe`)
    )
    or
    // Branch 2: Script file creation in web directories by non-web-server processes
    (
      $e1.metadata.event_type = "FILE_CREATION"
      and (
        re.regex($e1.target.file.full_path, `(?i)(\\inetpub\\|\\wwwroot\\|\\htdocs\\|\\www\\|\\webapps\\|/var/www/|/public_html/)`) or
        re.regex($e1.target.file.full_path, `(?i)(\\inetpub|\\wwwroot|\\htdocs|/var/www|/public_html|/webapps)`)
      )
      and re.regex($e1.target.file.full_path, `(?i)\.(asp|aspx|ashx|asmx|php|php5|php7|jsp|jspx|cfm|shtml|phtml)$`)
      and not re.regex($e1.principal.process.file.full_path, `(?i)(w3wp|httpd|nginx|php|msdeploy|devenv|publish)\.exe`)
    )
    or
    // Branch 3: Web server process outbound connection to non-standard external port
    (
      $e1.metadata.event_type = "NETWORK_CONNECTION"
      and re.regex($e1.principal.process.file.full_path, `(?i)(w3wp|php|php-cgi|php-fpm|httpd|nginx|java|javaw)\.exe`)
      and not net.ip_in_range_cidr($e1.target.ip, "10.0.0.0/8")
      and not net.ip_in_range_cidr($e1.target.ip, "172.16.0.0/12")
      and not net.ip_in_range_cidr($e1.target.ip, "192.168.0.0/16")
      and not net.ip_in_range_cidr($e1.target.ip, "127.0.0.0/8")
      and $e1.target.port != 80
      and $e1.target.port != 443
      and $e1.target.port != 8080
      and $e1.target.port != 8443
    )

  condition:
    $e1
}

critical severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Forwarder (Windows Events) Chronicle Forwarder (Linux Auditd) Microsoft Defender for Endpoint via Chronicle ingestion

Required Tables

UDM Events (PROCESS_LAUNCH, FILE_CREATION, NETWORK_CONNECTION)

False Positives

Enterprise Java application servers (JBoss EAP, WebLogic, WebSphere) that legitimately spawn Java utility processes or shell scripts for administrative tasks such as thread dump generation or heap analysis
Web-based IDEs or file managers (phpMyAdmin, Adminer, cPanel File Manager) that write PHP/script files to web directories as part of their normal file editing functionality
Container orchestration health checks where Kubernetes liveness probes cause web server processes to initiate outbound HTTP calls to external endpoints on non-standard ports for service mesh telemetry

CrowdStrike LogScale (CQL)

cql

// T1505.003 Web Shell Detection — CrowdStrike LogScale (Falcon)
// Branch 1: Web server processes spawning command shells
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php|php-cgi|php-fpm|tomcat|catalina|java|javaw)\.exe/
| FileName = /(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|whoami|net|net1|ipconfig|systeminfo|wmic|nltest|netstat|ping|nslookup)\.exe/
| "WebServer_Spawned_Shell" as DetectionType
| 10 as RiskScore
| table([_timeparsed, ComputerName, UserName, ParentBaseFileName, FileName, CommandLine, DetectionType, RiskScore])

// Branch 2: Script files written to web directories
// Run as separate query and merge in investigation
#event_simpleName=PeFileWritten OR #event_simpleName=NewScriptWritten OR #event_simpleName=SuspiciousEmbeddedCode
| TargetFileName = /(?i)(\\inetpub\\|\\wwwroot\\|\\htdocs\\|\\www\\|\\webapps\\|\/var\/www\/|\/public_html\/)/
| TargetFileName = /(?i)\.(asp|aspx|ashx|asmx|php|php5|jsp|jspx|cfm|shtml|phtml)$/
| ParentBaseFileName != /(?i)(w3wp|httpd|nginx|php|msdeploy|devenv|publish)\.exe/
| "WebShell_File_Drop" as DetectionType
| 9 as RiskScore
| table([_timeparsed, ComputerName, UserName, ParentBaseFileName, TargetFileName, DetectionType, RiskScore])

// Branch 3: Web server making unexpected external connections
#event_simpleName=NetworkConnectIP4
| ImageFileName = /(?i)(w3wp|php|php-cgi|php-fpm|httpd|nginx|java|javaw)\.exe/
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| RemotePort != "80"
| RemotePort != "443"
| RemotePort != "8080"
| RemotePort != "8443"
| "WebServer_External_Connection" as DetectionType
| 7 as RiskScore
| table([_timeparsed, ComputerName, UserName, ImageFileName, RemoteAddressIP4, RemotePort, DetectionType, RiskScore])

// Aggregated hunting view — identify hosts with multiple detection branches firing
// Combine above branches then aggregate:
// | groupBy([ComputerName, DetectionType], function=[count(as=EventCount), collectDistinct(FileName, as=Processes)])
// | sort(RiskScore, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon Insight XDR CrowdStrike Falcon LogScale

Required Tables

ProcessRollup2 PeFileWritten NewScriptWritten NetworkConnectIP4

False Positives

Legitimate web server management scripts invoked via cron or scheduled tasks that run as the web server process context and spawn shell commands for log rotation, certificate renewal (certbot), or maintenance tasks
Application performance monitoring agents (Dynatrace OneAgent, AppDynamics) that inject into JVM/IIS worker processes and establish outbound connections to APM collectors on non-standard ports
Web-based administration panels (Plesk, cPanel, DirectAdmin) that run as web server processes and legitimately write PHP/script files to customer web directories during site provisioning or plugin management operations

Last updated: 2026-04-21 Research depth: deep

References (6)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1505.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1505Server Software Component

Related Sub-techniques

T1505.001SQL Stored Procedures T1505.002Transport Agent T1505.004IIS Components T1505.005Terminal Services DLL T1505.006vSphere Installation Bundles

Web Shell

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections