Detection of Web Shell via Antivirus Signature
This brief describes the detection of web shells by antivirus solutions, emphasizing the importance of investigating these alerts as they signify a compromised web server and potential post-exploitation activity by an attacker.
This intelligence focuses on the detection of web shells through antivirus signatures, which is a critical indicator of a compromised web server. A web shell is a malicious script or program uploaded to a web server by an attacker to enable remote administration and control. While antivirus solutions are often effective at blocking or quarantining these artifacts, the detection itself is a strong signal that an initial compromise has already occurred. Defenders must not solely rely on the antivirus blocking the threat but must conduct a thorough investigation to understand the initial access vector, the extent of the compromise, and whether other persistence mechanisms have been established. Early and thorough investigation of these alerts is paramount to preventing further attacker lateral movement, data exfiltration, or complete system takeover.
Attack Chain
- Attacker gains initial access to a web server, typically by exploiting a vulnerability such as an insecure file upload, deserialization flaw, path traversal, or SQL injection.
- The attacker deploys a web shell, which is a malicious script (e.g.,
cmd.php,shell.jsp,asp.aspx) written in a web scripting language, to a publicly accessible directory on the compromised web server. - The web shell is designed to provide remote command execution capabilities, allowing the attacker to interact with the underlying operating system through the web server.
- The host's antivirus (AV) solution performs a scan (either real-time or scheduled) and identifies the newly deployed web shell based on its signature, matching patterns like 'PHP.Agent', 'C99shell', or 'Backdoor.ASP'.
- The antivirus solution triggers an alert indicating the detection of a web shell, logging the event and potentially taking automated remediation actions like quarantining or deleting the file.
- Security operations teams receive notification of the antivirus alert, signaling successful web shell deployment and confirming a prior compromise requiring immediate incident response.
Impact
Successful web shell deployment often leads to severe consequences, including full remote code execution, data exfiltration, privilege escalation, and lateral movement within the network. Attackers utilize web shells to maintain persistence, conduct reconnaissance, deploy additional malware (e.g., ransomware), deface websites, or use the compromised server as a pivot point for further attacks. The presence of a web shell implies a critical breach of the web server, necessitating immediate containment and eradication to prevent widespread damage across the organization.
Recommendation
- Deploy the
Antivirus - Web Shell Detection SignatureSigma rule to your SIEM and tune theSignaturefield with specific strings used by your organization's antivirus solution for web shell detections. - Ensure comprehensive antivirus logging and integration with your SIEM to capture all
antiviruscategory alerts, specifically those indicating web shell detections. - Investigate all
highlevel alerts generated by theAntivirus - Web Shell Detection Signaturerule immediately to determine the initial compromise vector and scope of impact. - Implement strong access controls and regular vulnerability scanning for all internet-facing web servers to prevent initial web shell deployment.
Detection coverage 1
Antivirus - Web Shell Detection Signature
highDetects antivirus alerts reporting a web shell, indicating potential compromise of a web server. Investigation is critical even if the AV solution blocked the malware.
Detection queries are available on the platform. Get full rules →