Detect Web Shell in Google Chronicle
Adversaries install web shells on compromised web servers to maintain persistent access. A web shell is a script (PHP, ASP, ASPX, JSP, etc.) that provides command execution, file upload/download, and network proxying capabilities via HTTP. Web shells are used by dozens of threat groups including APT28, APT39, HAFNIUM, OilRig, GALLIUM, and Sandworm. China Chopper and P.A.S. Webshell are widely-used examples. IcedID, WIREFIRE, and BUSHWALK target specific appliances (Ivanti VPN).
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1505 Server Software Component
- Sub-technique
- T1505.003 Web Shell
- Canonical reference
- https://attack.mitre.org/techniques/T1505/003/
YARA-L Detection Query
rule webshell_t1505_003 {
meta:
author = "df00tech Detection Engineering"
description = "Detects web shell installation and execution via web server process anomalies: command interpreter spawning, script file drops to web directories, and unexpected outbound connections from web server processes"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "T1505.003"
severity = "CRITICAL"
priority = "HIGH"
platform = "Windows, Linux"
false_positives = "CI/CD deployments, legitimate app server subprocess execution"
version = "1.0"
created = "2026-04-21"
events:
// Branch 1: Web server spawning shell/utility processes
(
$e1.metadata.event_type = "PROCESS_LAUNCH"
and (
re.regex($e1.principal.process.file.full_path, `(?i)(w3wp|httpd|nginx|php|php-cgi|php-fpm|tomcat|catalina|java|javaw)\.exe`) or
re.regex($e1.target.process.parent_process.file.full_path, `(?i)(w3wp|httpd|nginx|php|php-cgi|php-fpm|tomcat|catalina|java|javaw)\.exe`)
)
and re.regex($e1.target.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|whoami|net|ipconfig|systeminfo|wmic|nltest|netstat|ping|nslookup)\.exe`)
)
or
// Branch 2: Script file creation in web directories by non-web-server processes
(
$e1.metadata.event_type = "FILE_CREATION"
and (
re.regex($e1.target.file.full_path, `(?i)(\\inetpub\\|\\wwwroot\\|\\htdocs\\|\\www\\|\\webapps\\|/var/www/|/public_html/)`) or
re.regex($e1.target.file.full_path, `(?i)(\\inetpub|\\wwwroot|\\htdocs|/var/www|/public_html|/webapps)`)
)
and re.regex($e1.target.file.full_path, `(?i)\.(asp|aspx|ashx|asmx|php|php5|php7|jsp|jspx|cfm|shtml|phtml)$`)
and not re.regex($e1.principal.process.file.full_path, `(?i)(w3wp|httpd|nginx|php|msdeploy|devenv|publish)\.exe`)
)
or
// Branch 3: Web server process outbound connection to non-standard external port
(
$e1.metadata.event_type = "NETWORK_CONNECTION"
and re.regex($e1.principal.process.file.full_path, `(?i)(w3wp|php|php-cgi|php-fpm|httpd|nginx|java|javaw)\.exe`)
and not net.ip_in_range_cidr($e1.target.ip, "10.0.0.0/8")
and not net.ip_in_range_cidr($e1.target.ip, "172.16.0.0/12")
and not net.ip_in_range_cidr($e1.target.ip, "192.168.0.0/16")
and not net.ip_in_range_cidr($e1.target.ip, "127.0.0.0/8")
and $e1.target.port != 80
and $e1.target.port != 443
and $e1.target.port != 8080
and $e1.target.port != 8443
)
condition:
$e1
}Chronicle YARA-L 2.0 rule detecting web shell persistence via three behavioral branches using UDM event fields: (1) web server parent processes (IIS w3wp.exe, Apache httpd, nginx, PHP, Java/Tomcat) spawning command interpreters or reconnaissance utilities indicating web shell execution; (2) script files with web-executable extensions being created in web-accessible directory paths by unexpected processes indicating web shell file drop; (3) web server processes making outbound network connections to external IPs on non-HTTP/HTTPS ports indicating C2 channels through deployed web shells.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise Java application servers (JBoss EAP, WebLogic, WebSphere) that legitimately spawn Java utility processes or shell scripts for administrative tasks such as thread dump generation or heap analysis
- Web-based IDEs or file managers (phpMyAdmin, Adminer, cPanel File Manager) that write PHP/script files to web directories as part of their normal file editing functionality
- Container orchestration health checks where Kubernetes liveness probes cause web server processes to initiate outbound HTTP calls to external endpoints on non-standard ports for service mesh telemetry
Other platforms for T1505.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simple ASPX Web Shell Drop (Test Environment Only)
Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\df00tech-test.aspx. When web request triggers the shell: Sysmon EventCode 1 with ParentImage=w3wp.exe and Image=cmd.exe.
- Test 2Simulate Web Shell Command Execution (w3wp Spawning cmd)
Expected signal: Sysmon EventCode 1: cmd.exe spawned by powershell.exe. In a real web shell scenario, ParentImage would be w3wp.exe.
- Test 3China Chopper Web Shell Pattern Check
Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\df00tech-cc-test.php and Image=powershell.exe.
References (6)
- https://attack.mitre.org/techniques/T1505/003/
- https://github.com/nsacyber/Mitigating-Web-Shells
- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
- https://www.us-cert.gov/ncas/alerts/TA15-314A
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1505.003 including response playbook, investigation guide, and atomic red team tests.