P.A.S. Webshell is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.[1]
Name | Description |
---|---|
Fobushell |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
P.A.S. Webshell can display the /etc/passwd file on a compromised host.[1] |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
P.A.S. Webshell can issue commands via HTTP POST.[1] |
Enterprise | T1110 | .001 | Brute Force: Password Guessing |
P.A.S. Webshell can use predefined users and passwords to execute brute force attacks against SSH, FTP, POP3, MySQL, MSSQL, and PostgreSQL services.[1] |
Enterprise | T1059 | Command and Scripting Interpreter |
P.A.S. Webshell has the ability to create reverse shells with Perl scripts.[1] |
|
Enterprise | T1213 | Data from Information Repositories |
P.A.S. Webshell has the ability to list and extract data from SQL databases.[1] |
|
Enterprise | T1005 | Data from Local System |
P.A.S. Webshell has the ability to copy files on a compromised host.[1] |
|
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
P.A.S. Webshell can use a decryption mechanism to process a user supplied password and allow execution.[1] |
|
Enterprise | T1083 | File and Directory Discovery |
P.A.S. Webshell has the ability to list files and file characteristics including extension, size, ownership, and permissions.[1] |
|
Enterprise | T1222 | .002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
P.A.S. Webshell has the ability to modify file permissions.[1] |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
P.A.S. Webshell can delete scripts from a subdirectory of /tmp after they are run.[1] |
Enterprise | T1105 | Ingress Tool Transfer |
P.A.S. Webshell can upload and download files to and from compromised hosts.[1] |
|
Enterprise | T1046 | Network Service Discovery |
P.A.S. Webshell can scan networks for open ports and listening services.[1] |
|
Enterprise | T1027 | Obfuscated Files or Information |
P.A.S. Webshell can use encryption and base64 encoding to hide strings and to enforce access control once deployed.[1] |
|
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
P.A.S. Webshell can gain remote access and execution on target web servers.[1] |
Enterprise | T1518 | Software Discovery |
P.A.S. Webshell can list PHP server configuration details.[1] |
ID | Name | References |
---|---|---|
G1003 | Ember Bear |
Ember Bear has used P.A.S. Webshell during intrusions.[3] |
G0034 | Sandworm Team |