T1505.003 Splunk · SPL

Detect Web Shell in Splunk

Adversaries install web shells on compromised web servers to maintain persistent access. A web shell is a script (PHP, ASP, ASPX, JSP, etc.) that provides command execution, file upload/download, and network proxying capabilities via HTTP. Web shells are used by dozens of threat groups including APT28, APT39, HAFNIUM, OilRig, GALLIUM, and Sandworm. China Chopper and P.A.S. Webshell are widely-used examples. IcedID, WIREFIRE, and BUSHWALK target specific appliances (Ivanti VPN).

MITRE ATT&CK

Tactic
Persistence
Technique
T1505 Server Software Component
Sub-technique
T1505.003 Web Shell
Canonical reference
https://attack.mitre.org/techniques/T1505/003/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval detection_type=case(
    EventCode=1 AND
      match(ParentImage, "(?i)(w3wp|httpd|nginx|php|php-cgi|tomcat|catalina|java|javaw)\.exe") AND
      match(Image, "(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|whoami|net|ipconfig|systeminfo|wmic|nltest|netstat|ping|nslookup)\.exe"),
      "WebServer_Spawned_Shell",
    EventCode=11 AND
      match(TargetFilename, "(?i)(\\\\inetpub|\\\\wwwroot|\\\\htdocs|\\\\www|\\\\webapps)") AND
      match(TargetFilename, "(?i)\\.(asp|aspx|ashx|asmx|php|jsp|jspx|cfm|shtml)$") AND
      NOT match(Image, "(?i)(w3wp|httpd|nginx|php|deploy|publish)\.exe"),
      "WebShell_File_Drop",
    EventCode=3 AND
      match(Image, "(?i)(w3wp|php|php-cgi|httpd)\.exe") AND
      NOT match(DestinationIp, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)") AND
      NOT (DestinationPort=80 OR DestinationPort=443 OR DestinationPort=8080 OR DestinationPort=8443),
      "WebServer_External_Connection",
    true(), null()
  )
| where isnotnull(detection_type)
| eval risk_score=case(
    detection_type="WebServer_Spawned_Shell", 10,
    detection_type="WebShell_File_Drop", 8,
    detection_type="WebServer_External_Connection", 7,
    true(), 5
  )
| table _time, host, User, detection_type, risk_score, Image, CommandLine, TargetFilename,
        DestinationIp, DestinationPort, ParentImage
| sort - risk_score, - _time
critical severity high confidence

Detects web shell activity via Sysmon with risk scoring. EventCode 1 web server spawning shells (score 10 — highest fidelity). EventCode 11 script file drops to web directories (score 8). EventCode 3 web server external connections on non-HTTP ports (score 7). Results sorted by risk score to prioritize highest-confidence alerts.

Data Sources

Process: Process CreationFile: File CreationNetwork Traffic: Network ConnectionSysmon Event ID 1, 3, 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legacy web applications running under IIS that legitimately spawn cmd.exe for system integration
  • Legitimate file upload functionality writing script files to web directories (requires tuning by file path and initiating process)
  • CI/CD deployment pipelines writing application files including .php/.aspx to web roots
Download portable Sigma rule (.yml)

Other platforms for T1505.003

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simple ASPX Web Shell Drop (Test Environment Only)

    Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\df00tech-test.aspx. When web request triggers the shell: Sysmon EventCode 1 with ParentImage=w3wp.exe and Image=cmd.exe.

  2. Test 2Simulate Web Shell Command Execution (w3wp Spawning cmd)

    Expected signal: Sysmon EventCode 1: cmd.exe spawned by powershell.exe. In a real web shell scenario, ParentImage would be w3wp.exe.

  3. Test 3China Chopper Web Shell Pattern Check

    Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\df00tech-cc-test.php and Image=powershell.exe.

Last updated: 2026-04-21 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1505.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1505Server Software Component

Related Sub-techniques

T1505.001SQL Stored ProceduresT1505.002Transport AgentT1505.004IIS ComponentsT1505.005Terminal Services DLLT1505.006vSphere Installation Bundles

Related Techniques

T1505Server Software ComponentT1505.004IIS ComponentsT1190Exploit Public-Facing ApplicationT1133External Remote ServicesT1059.003Windows Command ShellT1059.001PowerShellT1041Exfiltration Over C2 Channel

Same Tactic: Persistence

Popular Detections