1. Home
  2. Detection Strategies
  3. Web Shell Detection via Server Behavior and File Execution Chains

Web Shell Detection via Server Behavior and File Execution Chains

Technique Detected:  Web Shell | T1505.003

ID: DET0394
Domains: Enterprise
Analytics: AN1108, AN1109, AN1110
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1108

Unexpected file creation in web directories followed by web server processes (e.g., w3wp.exe) spawning command shells or script interpreters (e.g., cmd.exe, powershell.exe)

Log Sources
Data Component Name Channel
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Logon Session Creation (DC0067) WinEventLog:Security EventCode=4624
Network Traffic Content (DC0085) NSM:Flow Inbound HTTP POST with suspicious payload size or user-agent
Mutable Elements
Field Description
WebRootPath Custom web server directory depending on IIS or third-party hosting environment
ParentProcess Different server binaries (e.g., php-cgi.exe, apache.exe) that may launch scripts

AN1109

File creation of unauthorized script (e.g., .php, .sh) in /var/www/html followed by execution of unexpected system utilities (e.g., curl, bash, nc) by apache/nginx

Log Sources
Data Component Name Channel
File Creation (DC0039) auditd:SYSCALL new file created in /var/www/html, /srv/http, or similar web root
Process Creation (DC0032) auditd:SYSCALL apache2 or nginx spawning sh, bash, or python interpreter
Network Traffic Content (DC0085) NSM:Flow POST requests to .php, .jsp, .aspx files with high entropy body
Mutable Elements
Field Description
WebRootPath Web server root varies by distro and hosting configuration
PayloadEntropyThreshold Base64 or XOR encoded shells may exceed this value
TimeWindow Correlate file creation with process spawn within X seconds

AN1110

Web servers (e.g., httpd) spawning abnormal processes post file upload into /Library/WebServer/Documents or /usr/local/var/www

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog httpd spawning bash, zsh, python, or osascript
File Modification (DC0061) auditd:SYSCALL file write operations in /Library/WebServer/Documents
Mutable Elements
Field Description
InterpreterName Adversary may use different scripting environments
ExecutionParent Not all web servers are named httpd; may differ in custom deployments