Detect Web Shell in IBM QRadar
Adversaries install web shells on compromised web servers to maintain persistent access. A web shell is a script (PHP, ASP, ASPX, JSP, etc.) that provides command execution, file upload/download, and network proxying capabilities via HTTP. Web shells are used by dozens of threat groups including APT28, APT39, HAFNIUM, OilRig, GALLIUM, and Sandworm. China Chopper and P.A.S. Webshell are widely-used examples. IcedID, WIREFIRE, and BUSHWALK target specific appliances (Ivanti VPN).
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1505 Server Software Component
- Sub-technique
- T1505.003 Web Shell
- Canonical reference
- https://attack.mitre.org/techniques/T1505/003/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
LOGSOURCENAME(logsourceid) AS log_source,
sourceip,
username,
"ParentProcessPath",
"ProcessPath",
"CommandLine",
"FileName",
"FilePath",
destinationip,
destinationport,
CASE
WHEN QIDNAME(qid) LIKE '%Process Create%'
AND ("ParentProcessPath" ILIKE '%w3wp.exe%' OR "ParentProcessPath" ILIKE '%httpd%'
OR "ParentProcessPath" ILIKE '%nginx%' OR "ParentProcessPath" ILIKE '%php%'
OR "ParentProcessPath" ILIKE '%tomcat%' OR "ParentProcessPath" ILIKE '%java%')
AND ("ProcessPath" ILIKE '%cmd.exe%' OR "ProcessPath" ILIKE '%powershell.exe%'
OR "ProcessPath" ILIKE '%wscript.exe%' OR "ProcessPath" ILIKE '%cscript.exe%'
OR "ProcessPath" ILIKE '%whoami.exe%' OR "ProcessPath" ILIKE '%net.exe%'
OR "ProcessPath" ILIKE '%systeminfo.exe%' OR "ProcessPath" ILIKE '%wmic.exe%'
OR "ProcessPath" ILIKE '%certutil.exe%' OR "ProcessPath" ILIKE '%bitsadmin.exe%'
OR "ProcessPath" ILIKE '%nltest.exe%' OR "ProcessPath" ILIKE '%mshta.exe%')
THEN 'WebServer_Spawned_Shell'
WHEN QIDNAME(qid) LIKE '%File Created%'
AND ("FilePath" ILIKE '%\inetpub\%' OR "FilePath" ILIKE '%\wwwroot\%'
OR "FilePath" ILIKE '%\htdocs\%' OR "FilePath" ILIKE '%\webapps\%'
OR "FilePath" ILIKE '%/var/www/%' OR "FilePath" ILIKE '%/public_html/%')
AND ("FileName" ILIKE '%.asp' OR "FileName" ILIKE '%.aspx' OR "FileName" ILIKE '%.ashx'
OR "FileName" ILIKE '%.php' OR "FileName" ILIKE '%.jsp' OR "FileName" ILIKE '%.jspx'
OR "FileName" ILIKE '%.cfm' OR "FileName" ILIKE '%.shtml')
AND NOT ("ProcessPath" ILIKE '%w3wp.exe%' OR "ProcessPath" ILIKE '%httpd%'
OR "ProcessPath" ILIKE '%nginx%' OR "ProcessPath" ILIKE '%msdeploy%')
THEN 'WebShell_File_Drop'
WHEN QIDNAME(qid) LIKE '%Network Connection%'
AND ("ProcessPath" ILIKE '%w3wp.exe%' OR "ProcessPath" ILIKE '%php%'
OR "ProcessPath" ILIKE '%httpd%' OR "ProcessPath" ILIKE '%nginx%')
AND NOT (INCIDR(destinationip, '10.0.0.0/8')
OR INCIDR(destinationip, '172.16.0.0/12')
OR INCIDR(destinationip, '192.168.0.0/16')
OR INCIDR(destinationip, '127.0.0.0/8'))
AND destinationport NOT IN (80, 443, 8080, 8443)
THEN 'WebServer_External_Connection'
ELSE NULL
END AS detection_type
FROM events
WHERE
LOGSOURCETYPEID(logsourceid) IN (12, 13, 40, 143, 382)
AND starttime > NOW() - 86400 SECONDS
AND detection_type IS NOT NULL
ORDER BY starttime DESCQRadar AQL query targeting Sysmon and Windows Security event sources to detect three web shell behavioral patterns: web server processes spawning command shells, suspicious script files written to web-accessible directories, and web server processes establishing outbound connections to external non-HTTP/HTTPS ports. Uses INCIDR for private IP range exclusion and case-based detection_type classification.
Data Sources
Required Tables
False Positives & Tuning
- Automated deployment pipelines where build agents run as or invoke web server processes to copy application files to web directories during release automation
- Java-based application servers (JBoss, WebLogic, WebSphere) that legitimately spawn Java child processes or helper utilities as part of normal application operation
- Web application firewalls or monitoring agents that run as w3wp.exe child processes and initiate outbound connections to SIEM collectors or threat intelligence feeds on non-standard ports
Other platforms for T1505.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simple ASPX Web Shell Drop (Test Environment Only)
Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\df00tech-test.aspx. When web request triggers the shell: Sysmon EventCode 1 with ParentImage=w3wp.exe and Image=cmd.exe.
- Test 2Simulate Web Shell Command Execution (w3wp Spawning cmd)
Expected signal: Sysmon EventCode 1: cmd.exe spawned by powershell.exe. In a real web shell scenario, ParentImage would be w3wp.exe.
- Test 3China Chopper Web Shell Pattern Check
Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\df00tech-cc-test.php and Image=powershell.exe.
References (6)
- https://attack.mitre.org/techniques/T1505/003/
- https://github.com/nsacyber/Mitigating-Web-Shells
- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
- https://www.us-cert.gov/ncas/alerts/TA15-314A
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1505.003 including response playbook, investigation guide, and atomic red team tests.