Skip to content
Threat Feed
low advisory

Webshell Reconnaissance Command Detection

This brief describes detection of common reconnaissance commands executed through webshells on Windows systems, enabling defenders to identify post-exploitation discovery activities.

This brief details a detection strategy for identifying post-exploitation reconnaissance activities performed via webshells on Windows servers. Attackers frequently deploy webshells on compromised web servers to maintain access and execute commands remotely. Following initial compromise, they typically employ various command-line utilities and scripting tools to gain a deeper understanding of the compromised system and network environment. This includes using tools like net.exe, wmic.exe, ipconfig.exe, whoami.exe, schtasks.exe, systeminfo.exe, and PowerShell with encoded commands. The detection focuses on processes spawned by common web server applications (e.g., IIS w3wp.exe, PHP-CGI, NGINX, Apache httpd, Tomcat Java processes) that then execute these suspicious discovery commands. Identifying such activity is crucial for early detection of an attacker's presence and preventing further compromise, lateral movement, or data exfiltration.

Attack Chain

  1. Initial Access & Webshell Deployment: An attacker exploits a vulnerability in a public-facing web application (e.g., CVE-2024-1234) to gain initial access and deploy a webshell (e.g., China Chopper, Bumblebee) onto the web server.
  2. Webshell Activation: The attacker interacts with the deployed webshell, causing the legitimate web server process (e.g., w3wp.exe, php-cgi.exe, java.exe for Tomcat) to spawn a command-line interpreter (e.g., cmd.exe, powershell.exe).
  3. System Information Discovery: The attacker executes commands like systeminfo.exe or wmic.exe (wmic.exe os get caption /value) to gather details about the operating system, hardware, and installed software, mapping the system's configuration.
  4. Network Configuration Discovery: Commands such as ipconfig.exe, netstat.exe, nslookup.exe, ping.exe, Test-NetConnection, or tracert.exe are used to enumerate network interfaces, active connections, DNS information, and network connectivity to map the internal network segment.
  5. Account and User Discovery: The attacker employs whoami.exe, net user, net group, quser.exe, or dsquery.exe to identify local and domain user accounts, groups, and logged-on users, seeking targets for privilege escalation or lateral movement.
  6. Process and Task Discovery: tasklist.exe and schtasks.exe are executed to list running processes, services, and scheduled tasks, identifying potential running security software, interesting applications, or existing persistence mechanisms.
  7. File and Directory Discovery: The attacker uses find.exe, findstr.exe, or dir \\ (e.g., dir \\<IP>\C$) to search for sensitive files, configurations, or to explore remote shares for data or further access.
  8. Further Exploitation & Lateral Movement: Based on the gathered reconnaissance, the attacker proceeds with privilege escalation, establishes additional persistence, moves laterally within the network, or prepares for data exfiltration.

Impact

Successful execution of reconnaissance commands via a webshell indicates a significant compromise, potentially leading to immediate or future severe consequences. The attacker has established a persistent foothold, enabling them to map the network infrastructure, identify valuable assets, locate sensitive data, and enumerate user accounts. This intelligence gathering is a critical precursor to privilege escalation, lateral movement to other systems, data exfiltration, or the deployment of additional malicious payloads such as ransomware. Organizations could face severe data breaches, service disruption, reputational damage, and significant financial losses if these post-exploitation activities are not detected and remediated promptly. The presence of a webshell on a public-facing server poses an ongoing risk until completely eradicated.

Recommendation

  • Deploy the provided Sigma rule to your SIEM and tune for your environment to detect webshell reconnaissance activities.
  • Ensure comprehensive process_creation logging (e.g., Sysmon Event ID 1) is enabled on all Windows web servers to capture the necessary command-line arguments and parent-child process relationships for the rule.
  • Regularly review logs for processes spawned by web server applications that execute unusual or discovery-related commands.
  • Patch known vulnerabilities in web server software immediately to prevent webshell deployment.

Detection coverage 1

Webshell Detection With Command Line Keywords

high

Detects suspicious command-line parameters and binary executions often used during reconnaissance activity via webshells, spawned by common web server processes.

sigma tactics: discovery, execution, persistence techniques: T1016, T1018, T1033, T1046, T1049, T1053.005, T1057, T1059.001, T1059.003, T1083, T1087, T1505.003 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →