T1505.003 Elastic Security · Elastic

Detect Web Shell in Elastic Security

Adversaries install web shells on compromised web servers to maintain persistent access. A web shell is a script (PHP, ASP, ASPX, JSP, etc.) that provides command execution, file upload/download, and network proxying capabilities via HTTP. Web shells are used by dozens of threat groups including APT28, APT39, HAFNIUM, OilRig, GALLIUM, and Sandworm. China Chopper and P.A.S. Webshell are widely-used examples. IcedID, WIREFIRE, and BUSHWALK target specific appliances (Ivanti VPN).

MITRE ATT&CK

Tactic
Persistence
Technique
T1505 Server Software Component
Sub-technique
T1505.003 Web Shell
Canonical reference
https://attack.mitre.org/techniques/T1505/003/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.id with maxspan=5m
  [process where event.type == "start"
   and process.parent.name : ("w3wp.exe", "httpd", "nginx", "php", "php-cgi", "php-fpm", "tomcat", "catalina.sh", "java", "javaw.exe", "uwsgi", "gunicorn")
   and process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe",
                        "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe",
                        "whoami.exe", "net.exe", "net1.exe", "ipconfig.exe", "systeminfo.exe",
                        "wmic.exe", "nltest.exe", "netstat.exe", "ping.exe", "nslookup.exe",
                        "sh", "bash", "dash", "python", "python3", "perl", "ruby", "wget", "curl")]
  [any where true]

OR

file where event.action in ("creation", "overwrite")
  and file.path : ("*/inetpub/*", "*/wwwroot/*", "*/htdocs/*", "*/www/*", "*/public_html/*", "*/webapps/*", "*/var/www/*")
  and file.extension : ("asp", "aspx", "ashx", "asmx", "php", "jsp", "jspx", "cfm", "shtml", "phtml", "php5", "php7")
  and not process.name : ("w3wp.exe", "httpd", "nginx", "php", "deploy", "publish", "msdeploy.exe", "devenv.exe")

OR

network where event.type == "start"
  and process.name : ("w3wp.exe", "php.exe", "php-cgi.exe", "php-fpm", "httpd", "nginx", "java", "javaw.exe")
  and not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "::1/128")
  and not destination.port in (80, 443, 8080, 8443, 8000, 8888)
critical severity high confidence

Detects web shell activity via three complementary signals: (1) web server processes spawning command interpreters or reconnaissance utilities, indicating a web shell executing OS commands; (2) suspicious script files written to web-accessible directories by non-web-server processes, indicating web shell file drops; (3) web server processes making outbound connections to non-standard external ports, indicating C2 beaconing or data exfiltration through a deployed web shell.

Data Sources

Elastic Endpoint SecurityAuditbeatWinlogbeat with SysmonFilebeat (IIS/Apache/Nginx access logs)

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*logs-endpoint.events.network-*winlogbeat-*

False Positives & Tuning

  • Legitimate web application deployments via CI/CD pipelines that copy script files to web directories (e.g., deploying PHP or ASP.NET apps via MSBuild, WebDeploy, or Ansible)
  • Web server processes that legitimately spawn Java or Python subprocesses as part of application functionality (e.g., Tomcat executing utility scripts, Django management commands)
  • Security scanners or vulnerability assessment tools that intentionally probe web directories and may trigger file creation events during authenticated scanning sessions
Download portable Sigma rule (.yml)

Other platforms for T1505.003

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simple ASPX Web Shell Drop (Test Environment Only)

    Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\df00tech-test.aspx. When web request triggers the shell: Sysmon EventCode 1 with ParentImage=w3wp.exe and Image=cmd.exe.

  2. Test 2Simulate Web Shell Command Execution (w3wp Spawning cmd)

    Expected signal: Sysmon EventCode 1: cmd.exe spawned by powershell.exe. In a real web shell scenario, ParentImage would be w3wp.exe.

  3. Test 3China Chopper Web Shell Pattern Check

    Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\df00tech-cc-test.php and Image=powershell.exe.

Last updated: 2026-04-21 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1505.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1505Server Software Component

Related Sub-techniques

T1505.001SQL Stored ProceduresT1505.002Transport AgentT1505.004IIS ComponentsT1505.005Terminal Services DLLT1505.006vSphere Installation Bundles

Related Techniques

T1505Server Software ComponentT1505.004IIS ComponentsT1190Exploit Public-Facing ApplicationT1133External Remote ServicesT1059.003Windows Command ShellT1059.001PowerShellT1041Exfiltration Over C2 Channel

Same Tactic: Persistence

Popular Detections