Detect Web Shell in Microsoft Sentinel
Adversaries install web shells on compromised web servers to maintain persistent access. A web shell is a script (PHP, ASP, ASPX, JSP, etc.) that provides command execution, file upload/download, and network proxying capabilities via HTTP. Web shells are used by dozens of threat groups including APT28, APT39, HAFNIUM, OilRig, GALLIUM, and Sandworm. China Chopper and P.A.S. Webshell are widely-used examples. IcedID, WIREFIRE, and BUSHWALK target specific appliances (Ivanti VPN).
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1505 Server Software Component
- Sub-technique
- T1505.003 Web Shell
- Canonical reference
- https://attack.mitre.org/techniques/T1505/003/
KQL Detection Query
// T1505.003 — Web Shell detection
// Web shells executed via web server processes spawning OS commands
// Part 1: Detect web server processes spawning shells/utilities (primary web shell signal)
let WebServerProcesses = dynamic(["w3wp.exe", "httpd.exe", "nginx.exe", "php.exe",
"php-cgi.exe", "tomcat.exe", "catalina.exe",
"java.exe", "javaw.exe", "wsgi.py"]);
let SuspiciousChildren = dynamic(["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
"bitsadmin.exe", "msiexec.exe", "whoami.exe", "net.exe",
"net1.exe", "ipconfig.exe", "systeminfo.exe", "wmic.exe",
"nltest.exe", "netstat.exe", "ping.exe", "nslookup.exe"]);
let WebShellSpawn = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (WebServerProcesses)
| where FileName has_any (SuspiciousChildren)
| extend DetectionType = "WebServer_Shell_Spawn"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect suspicious script files written to web directories
let WebDirPaths = dynamic(["\\inetpub\\", "\\wwwroot\\", "\\htdocs\\",
"\\www\\", "\\public_html\\", "\\webapps\\"]);
let WebShellExtensions = dynamic([".asp", ".aspx", ".ashx", ".asmx",
".php", ".jsp", ".jspx", ".cfm", ".shtml"]);
let WebShellDrop = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (WebDirPaths)
| where FileName has_any (WebShellExtensions)
| where InitiatingProcessFileName !in~ ("w3wp.exe", "httpd.exe", "nginx.exe", "php.exe")
| extend DetectionType = "WebShell_File_Drop"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 3: Detect web shell pattern in IIS logs via network connections from w3wp.exe
let WebShellNetwork = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("w3wp.exe", "php.exe", "php-cgi.exe", "httpd.exe")
| where RemoteIPType == "Public"
| where RemotePort !in (80, 443, 8080, 8443)
| extend DetectionType = "WebServer_External_Connection"
| project Timestamp, DeviceName, AccountName, RemoteIP, RemotePort,
InitiatingProcessFileName, DetectionType;
union WebShellSpawn, WebShellDrop, WebShellNetwork
| sort by Timestamp descThree-part web shell detection. Part 1 (highest fidelity): web server processes (IIS w3wp.exe, Apache httpd.exe, PHP) spawning cmd.exe, PowerShell, or recon utilities — the definitive indicator of web shell command execution. Part 2: script files written to web directories by non-web-server processes — indicates web shell file drop via upload or exploitation. Part 3: web server processes making outbound connections to public IPs on non-standard ports — indicates active C2 or tunneling via web shell.
Data Sources
Required Tables
False Positives & Tuning
- IIS application pools that legitimately use cmd.exe for application integration (rare but exists in legacy systems)
- PHP or JSP applications that use exec() or shell_exec() for legitimate system operations (image processing, file conversion)
- Legitimate web deployment pipelines (CI/CD) that write files to web directories as part of automated deployment
- System administration scripts that run under the IIS application pool identity for configuration management
Other platforms for T1505.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simple ASPX Web Shell Drop (Test Environment Only)
Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\df00tech-test.aspx. When web request triggers the shell: Sysmon EventCode 1 with ParentImage=w3wp.exe and Image=cmd.exe.
- Test 2Simulate Web Shell Command Execution (w3wp Spawning cmd)
Expected signal: Sysmon EventCode 1: cmd.exe spawned by powershell.exe. In a real web shell scenario, ParentImage would be w3wp.exe.
- Test 3China Chopper Web Shell Pattern Check
Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\df00tech-cc-test.php and Image=powershell.exe.
References (6)
- https://attack.mitre.org/techniques/T1505/003/
- https://github.com/nsacyber/Mitigating-Web-Shells
- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
- https://www.us-cert.gov/ncas/alerts/TA15-314A
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1505.003 including response playbook, investigation guide, and atomic red team tests.