{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.t1018/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:exclusiveaddons:exclusive_addons_for_elementor:*:*:*:*:*:wordpress:*:*"],"_cs_cves":[{"cvss":6.4,"id":"CVE-2024-1234"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["webshell","discovery","reconnaissance","attack.persistence","attack.discovery","attack.t1505.003","attack.t1018","attack.t1033","attack.t1087"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis brief details a detection strategy for identifying post-exploitation reconnaissance activities performed via webshells on Windows servers. Attackers frequently deploy webshells on compromised web servers to maintain access and execute commands remotely. Following initial compromise, they typically employ various command-line utilities and scripting tools to gain a deeper understanding of the compromised system and network environment. This includes using tools like \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003ewmic.exe\u003c/code\u003e, \u003ccode\u003eipconfig.exe\u003c/code\u003e, \u003ccode\u003ewhoami.exe\u003c/code\u003e, \u003ccode\u003eschtasks.exe\u003c/code\u003e, \u003ccode\u003esysteminfo.exe\u003c/code\u003e, and PowerShell with encoded commands. The detection focuses on processes spawned by common web server applications (e.g., IIS w3wp.exe, PHP-CGI, NGINX, Apache httpd, Tomcat Java processes) that then execute these suspicious discovery commands. Identifying such activity is crucial for early detection of an attacker's presence and preventing further compromise, lateral movement, or data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access \u0026amp; Webshell Deployment\u003c/strong\u003e: An attacker exploits a vulnerability in a public-facing web application (e.g., CVE-2024-1234) to gain initial access and deploy a webshell (e.g., China Chopper, Bumblebee) onto the web server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWebshell Activation\u003c/strong\u003e: The attacker interacts with the deployed webshell, causing the legitimate web server process (e.g., \u003ccode\u003ew3wp.exe\u003c/code\u003e, \u003ccode\u003ephp-cgi.exe\u003c/code\u003e, \u003ccode\u003ejava.exe\u003c/code\u003e for Tomcat) to spawn a command-line interpreter (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystem Information Discovery\u003c/strong\u003e: The attacker executes commands like \u003ccode\u003esysteminfo.exe\u003c/code\u003e or \u003ccode\u003ewmic.exe\u003c/code\u003e (\u003ccode\u003ewmic.exe os get caption /value\u003c/code\u003e) to gather details about the operating system, hardware, and installed software, mapping the system's configuration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNetwork Configuration Discovery\u003c/strong\u003e: Commands such as \u003ccode\u003eipconfig.exe\u003c/code\u003e, \u003ccode\u003enetstat.exe\u003c/code\u003e, \u003ccode\u003enslookup.exe\u003c/code\u003e, \u003ccode\u003eping.exe\u003c/code\u003e, \u003ccode\u003eTest-NetConnection\u003c/code\u003e, or \u003ccode\u003etracert.exe\u003c/code\u003e are used to enumerate network interfaces, active connections, DNS information, and network connectivity to map the internal network segment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount and User Discovery\u003c/strong\u003e: The attacker employs \u003ccode\u003ewhoami.exe\u003c/code\u003e, \u003ccode\u003enet user\u003c/code\u003e, \u003ccode\u003enet group\u003c/code\u003e, \u003ccode\u003equser.exe\u003c/code\u003e, or \u003ccode\u003edsquery.exe\u003c/code\u003e to identify local and domain user accounts, groups, and logged-on users, seeking targets for privilege escalation or lateral movement.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eProcess and Task Discovery\u003c/strong\u003e: \u003ccode\u003etasklist.exe\u003c/code\u003e and \u003ccode\u003eschtasks.exe\u003c/code\u003e are executed to list running processes, services, and scheduled tasks, identifying potential running security software, interesting applications, or existing persistence mechanisms.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFile and Directory Discovery\u003c/strong\u003e: The attacker uses \u003ccode\u003efind.exe\u003c/code\u003e, \u003ccode\u003efindstr.exe\u003c/code\u003e, or \u003ccode\u003edir \\\\\u003c/code\u003e (e.g., \u003ccode\u003edir \\\\\u0026lt;IP\u0026gt;\\C$\u003c/code\u003e) to search for sensitive files, configurations, or to explore remote shares for data or further access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFurther Exploitation \u0026amp; Lateral Movement\u003c/strong\u003e: Based on the gathered reconnaissance, the attacker proceeds with privilege escalation, establishes additional persistence, moves laterally within the network, or prepares for data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of reconnaissance commands via a webshell indicates a significant compromise, potentially leading to immediate or future severe consequences. The attacker has established a persistent foothold, enabling them to map the network infrastructure, identify valuable assets, locate sensitive data, and enumerate user accounts. This intelligence gathering is a critical precursor to privilege escalation, lateral movement to other systems, data exfiltration, or the deployment of additional malicious payloads such as ransomware. Organizations could face severe data breaches, service disruption, reputational damage, and significant financial losses if these post-exploitation activities are not detected and remediated promptly. The presence of a webshell on a public-facing server poses an ongoing risk until completely eradicated.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune for your environment to detect webshell reconnaissance activities.\u003c/li\u003e\n\u003cli\u003eEnsure comprehensive \u003ccode\u003eprocess_creation\u003c/code\u003e logging (e.g., Sysmon Event ID 1) is enabled on all Windows web servers to capture the necessary command-line arguments and parent-child process relationships for the rule.\u003c/li\u003e\n\u003cli\u003eRegularly review logs for processes spawned by web server applications that execute unusual or discovery-related commands.\u003c/li\u003e\n\u003cli\u003ePatch known vulnerabilities in web server software immediately to prevent webshell deployment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T10:23:54Z","date_published":"2026-07-14T10:23:54Z","id":"https://feed.craftedsignal.io/briefs/2026-07-webshell-reconnaissance-detection/","summary":"This brief describes detection of common reconnaissance commands executed through webshells on Windows systems, enabling defenders to identify post-exploitation discovery activities.","title":"Webshell Reconnaissance Command Detection","url":"https://feed.craftedsignal.io/briefs/2026-07-webshell-reconnaissance-detection/"}],"language":"en","title":"CraftedSignal Threat Feed - Attack.t1018","version":"https://jsonfeed.org/version/1.1"}