Skip to content
Threat Feed
high advisory

Detection of Web Shell via Antivirus Signature

This brief describes the detection of web shells by antivirus solutions, emphasizing the importance of investigating these alerts as they signify a compromised web server and potential post-exploitation activity by an attacker.

This intelligence focuses on the detection of web shells through antivirus signatures, which is a critical indicator of a compromised web server. A web shell is a malicious script or program uploaded to a web server by an attacker to enable remote administration and control. While antivirus solutions are often effective at blocking or quarantining these artifacts, the detection itself is a strong signal that an initial compromise has already occurred. Defenders must not solely rely on the antivirus blocking the threat but must conduct a thorough investigation to understand the initial access vector, the extent of the compromise, and whether other persistence mechanisms have been established. Early and thorough investigation of these alerts is paramount to preventing further attacker lateral movement, data exfiltration, or complete system takeover.

Attack Chain

  1. Attacker gains initial access to a web server, typically by exploiting a vulnerability such as an insecure file upload, deserialization flaw, path traversal, or SQL injection.
  2. The attacker deploys a web shell, which is a malicious script (e.g., cmd.php, shell.jsp, asp.aspx) written in a web scripting language, to a publicly accessible directory on the compromised web server.
  3. The web shell is designed to provide remote command execution capabilities, allowing the attacker to interact with the underlying operating system through the web server.
  4. The host's antivirus (AV) solution performs a scan (either real-time or scheduled) and identifies the newly deployed web shell based on its signature, matching patterns like 'PHP.Agent', 'C99shell', or 'Backdoor.ASP'.
  5. The antivirus solution triggers an alert indicating the detection of a web shell, logging the event and potentially taking automated remediation actions like quarantining or deleting the file.
  6. Security operations teams receive notification of the antivirus alert, signaling successful web shell deployment and confirming a prior compromise requiring immediate incident response.

Impact

Successful web shell deployment often leads to severe consequences, including full remote code execution, data exfiltration, privilege escalation, and lateral movement within the network. Attackers utilize web shells to maintain persistence, conduct reconnaissance, deploy additional malware (e.g., ransomware), deface websites, or use the compromised server as a pivot point for further attacks. The presence of a web shell implies a critical breach of the web server, necessitating immediate containment and eradication to prevent widespread damage across the organization.

Recommendation

  • Deploy the Antivirus - Web Shell Detection Signature Sigma rule to your SIEM and tune the Signature field with specific strings used by your organization's antivirus solution for web shell detections.
  • Ensure comprehensive antivirus logging and integration with your SIEM to capture all antivirus category alerts, specifically those indicating web shell detections.
  • Investigate all high level alerts generated by the Antivirus - Web Shell Detection Signature rule immediately to determine the initial compromise vector and scope of impact.
  • Implement strong access controls and regular vulnerability scanning for all internet-facing web servers to prevent initial web shell deployment.

Detection coverage 1

Antivirus - Web Shell Detection Signature

high

Detects antivirus alerts reporting a web shell, indicating potential compromise of a web server. Investigation is critical even if the AV solution blocked the malware.

sigma tactics: persistence techniques: T1505.003 sources: antivirus

Detection queries are available on the platform. Get full rules →