Web Shells: The Hacker's Pearl in a Sea of Networked Environments
In this blog post, we break down what a web shell is and why it poses a risk to a digital environment, review a recent event involving malicious web shells, and how to best protect against such a simple yet lethal attack.
What is a web shell?
A web shell is a server-side script that offers a user interface, allowing an individual to remotely access and administer a web server. While used for legitimate purposes, web shells have been a part of recent malicious cyber attacks.
Web shells are written in a web scripting language (e.g. PHP, JavaScript). Threat actors will upload web shells to vulnerable servers after they've achieved initial access to target devices. Initial access can be achieved through the exploitation of web applications, such as SQL injections or directory traversal attacks (remote file inclusion or local file inclusion, or through alternate means.
Once a web shell is on the target device, the threat actors are able to execute remote commands and exercise a level of control over the device.
Case study: HAFNIUM and Microsoft Exchange server vulnerabilities
Earlier this year, Chinese state-sponsored hackers made headlines after taking advantage of four vulnerabilities on Microsoft Exchange servers to gain initial access to target networks. Once they had ingressed, the threat actors utilized web shells to conduct post-compromise reconnaissance and exploitation. Among those actions were credential dumping (which you can read more about on my previous blog post here), data exfiltration, and gather victim organization information.
The web shell utilized by the hackers, who are also known as HAFNIUM as dubbed by Microsoft, was an ASPX-based web shell. Microsoft provided the image shown below as an example of one of the web shells utilized in the campaign:

In an effort to better blend into the target environment and avoid detection, the threat actors used file names such as "web.aspx" and "help.aspx" to give the impression that the files were meant to be in the target path. More IOCs were provided by Microsoft here.
How to protect against malicious web shells
Based on the previous details, it's evident that the level of access and potential privileges achieved by a web shell are cause for concern. How does one protect against something with such a minimal footprint? Below are some recommendations on how to reduce the odds of a web shell achieving nefarious objectives within an environment:
Patching systems: Swift security updates to devices as soon as the updates become available reduce the chances of known vulnerabilities being exploited. Many folks know about "Patch Tuesday," being Microsoft's weekly patch release; however, some unfortunately find out the hard way about "Exploit Wednesday," which is when threat actors capitalize on freshly-identified vulnerabilities, write exploits, and attempt to take advantage of unpatched systems.
Familiarity and active surveillance: Open source research shows which file paths and names are most commonly associated with web shells in an environment. Network administrators should be familiar with their environment and know what is and isn't supposed to be there, especially on critical infrastructure on the network. Checking these typical target file paths regularly will help reduce the risk of something being there that shouldn't be. Note that this doesn't mean some poor soul has to manually slave away recursing through batches of file paths. Automation via scripting can allow an administrator to quickly compare between the last check and the current check to spot any differences. A helpful script can be found here.
Use the principle of least privilege: Review your firewall rules and ensure that external IP addresses are unable to connect to critical services that they shouldn't be connecting to. Additionally, block IPs that are known to be associated with malicious activity.
Review server logs: Parsing server logs routinely for common keywords associated with web shells can illuminate events that are indicative of a malicious web shell present on the device.
Additional Reading
Ghost in the shell: Investigating web shell attacks (Microsoft)
Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits (CrowdStrike)
Breaking Down the China Chopper Web Shell - Part I (Fireeye)
Web Shell Detection and Prevention (Acunetix)