Adversaries may add malicious content to an internally accessible website through an open network file share that contains the website's webroot or Web content directory   and then browse to that content with a Web browser to cause the server to execute the malicious content. The malicious content will typically run under the context and permissions of the Web server process, often resulting in local system or administrative privileges, depending on how the Web server is configured.
This mechanism of shared access and remote execution could be used for lateral movement to the system running the Web server. For example, a Web server running PHP with an open network share could allow an adversary to upload a remote access tool and PHP script to execute the RAT on the system running the Web server when a specific page is visited. 
|Limit Access to Resource Over Network||Disallow remote access to the webroot or other directories used to serve Web content.|
|Network Segmentation||Networks that allow for open development and testing of Web content and allow users to set up their own Web servers on the enterprise network may be particularly vulnerable if the systems and Web servers are not properly secured to limit unauthenticated network share access and network/system isolation|
|Privileged Account Management||Networks that allow for open development and testing of Web content and allow users to set up their own Web servers on the enterprise network may be particularly vulnerable if the systems and Web servers are not properly secured to limit privileged account use and unauthenticated network share access.|
|Restrict File and Directory Permissions||Disable execution on directories within the webroot. Ensure proper permissions on directories that are accessible through a Web server.|
|User Account Management||Ensure that permissions of the Web server process are only what is required by not using built-in accounts; instead, create specific accounts to limit unnecessary access or permissions overlap across multiple systems.  |
Use file and process monitoring to detect when files are written to a Web server by a process that is not the normal Web server process or when files are written outside of normal administrative time periods. Use process monitoring to identify normal processes that run on the Web server and detect processes that are not typically executed.
- Microsoft. (2016, October 20). How to: Find the Web Application Root. Retrieved July 27, 2018.
- Apache. (n.d.). Apache HTTP Server Version 2.4 Documentation - Web Site Content. Retrieved July 27, 2018.
- Brandt, Andrew. (2011, February 22). Malicious PHP Scripts on the Rise. Retrieved October 3, 2018.