Detect Web Shell in CrowdStrike LogScale
Adversaries install web shells on compromised web servers to maintain persistent access. A web shell is a script (PHP, ASP, ASPX, JSP, etc.) that provides command execution, file upload/download, and network proxying capabilities via HTTP. Web shells are used by dozens of threat groups including APT28, APT39, HAFNIUM, OilRig, GALLIUM, and Sandworm. China Chopper and P.A.S. Webshell are widely-used examples. IcedID, WIREFIRE, and BUSHWALK target specific appliances (Ivanti VPN).
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1505 Server Software Component
- Sub-technique
- T1505.003 Web Shell
- Canonical reference
- https://attack.mitre.org/techniques/T1505/003/
LogScale Detection Query
// T1505.003 Web Shell Detection — CrowdStrike LogScale (Falcon)
// Branch 1: Web server processes spawning command shells
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php|php-cgi|php-fpm|tomcat|catalina|java|javaw)\.exe/
| FileName = /(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|whoami|net|net1|ipconfig|systeminfo|wmic|nltest|netstat|ping|nslookup)\.exe/
| "WebServer_Spawned_Shell" as DetectionType
| 10 as RiskScore
| table([_timeparsed, ComputerName, UserName, ParentBaseFileName, FileName, CommandLine, DetectionType, RiskScore])
// Branch 2: Script files written to web directories
// Run as separate query and merge in investigation
#event_simpleName=PeFileWritten OR #event_simpleName=NewScriptWritten OR #event_simpleName=SuspiciousEmbeddedCode
| TargetFileName = /(?i)(\\inetpub\\|\\wwwroot\\|\\htdocs\\|\\www\\|\\webapps\\|\/var\/www\/|\/public_html\/)/
| TargetFileName = /(?i)\.(asp|aspx|ashx|asmx|php|php5|jsp|jspx|cfm|shtml|phtml)$/
| ParentBaseFileName != /(?i)(w3wp|httpd|nginx|php|msdeploy|devenv|publish)\.exe/
| "WebShell_File_Drop" as DetectionType
| 9 as RiskScore
| table([_timeparsed, ComputerName, UserName, ParentBaseFileName, TargetFileName, DetectionType, RiskScore])
// Branch 3: Web server making unexpected external connections
#event_simpleName=NetworkConnectIP4
| ImageFileName = /(?i)(w3wp|php|php-cgi|php-fpm|httpd|nginx|java|javaw)\.exe/
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| RemotePort != "80"
| RemotePort != "443"
| RemotePort != "8080"
| RemotePort != "8443"
| "WebServer_External_Connection" as DetectionType
| 7 as RiskScore
| table([_timeparsed, ComputerName, UserName, ImageFileName, RemoteAddressIP4, RemotePort, DetectionType, RiskScore])
// Aggregated hunting view — identify hosts with multiple detection branches firing
// Combine above branches then aggregate:
// | groupBy([ComputerName, DetectionType], function=[count(as=EventCount), collectDistinct(FileName, as=Processes)])
// | sort(RiskScore, order=desc)CrowdStrike LogScale (Falcon) detection for web shell T1505.003 using three Falcon telemetry event types. Branch 1 uses ProcessRollup2 to detect web server parent processes spawning OS command interpreters — the primary behavioral indicator of a web shell executing commands. Branch 2 uses file write events to detect script files dropped into web-accessible directories by non-deployment processes. Branch 3 uses NetworkConnectIP4 to detect web server processes making outbound connections to external IPs on non-HTTP/HTTPS ports, indicating C2 channels. All branches include RiskScore for analyst prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate web server management scripts invoked via cron or scheduled tasks that run as the web server process context and spawn shell commands for log rotation, certificate renewal (certbot), or maintenance tasks
- Application performance monitoring agents (Dynatrace OneAgent, AppDynamics) that inject into JVM/IIS worker processes and establish outbound connections to APM collectors on non-standard ports
- Web-based administration panels (Plesk, cPanel, DirectAdmin) that run as web server processes and legitimately write PHP/script files to customer web directories during site provisioning or plugin management operations
Other platforms for T1505.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simple ASPX Web Shell Drop (Test Environment Only)
Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\df00tech-test.aspx. When web request triggers the shell: Sysmon EventCode 1 with ParentImage=w3wp.exe and Image=cmd.exe.
- Test 2Simulate Web Shell Command Execution (w3wp Spawning cmd)
Expected signal: Sysmon EventCode 1: cmd.exe spawned by powershell.exe. In a real web shell scenario, ParentImage would be w3wp.exe.
- Test 3China Chopper Web Shell Pattern Check
Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\df00tech-cc-test.php and Image=powershell.exe.
References (6)
- https://attack.mitre.org/techniques/T1505/003/
- https://github.com/nsacyber/Mitigating-Web-Shells
- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
- https://www.us-cert.gov/ncas/alerts/TA15-314A
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1505.003 including response playbook, investigation guide, and atomic red team tests.