Last reviewed:
A web shell is a malicious script an attacker plants on a compromised web server to run commands remotely and keep persistent access.
A web shell is a small malicious script, often PHP, ASPX or JSP, that an attacker uploads to a compromised web server. Once in place it accepts attacker commands over ordinary web requests and runs them on the host, giving a durable remote-control channel that survives reboots and blends in with normal web traffic. Web shells are a common follow-on to exploiting an internet-facing application, used for persistence, file theft and lateral movement.
Web shells map to MITRE ATT&CK T1505.003 Server Software Component: Web Shell, and the exploit that drops one usually maps to T1190 Exploit Public-Facing Application. In a cloud environment the planted shell often does the attacker's cloud work for them, calling the instance metadata service for credentials or making API calls, so the host's process activity and the cloud control-plane logs both carry evidence.
Detection works on two surfaces: the web server (new or modified executable files in the web root, unusual child processes spawned by the web server) and the cloud control plane (API calls or credential use originating from a web server that should never make them). Catching the second surface matters because a web shell on a cloud host is often the bridge to the wider account.
Web shells are written in whatever the target server executes, most often PHP, ASP.NET (ASPX), JSP or, on some appliances, Perl and Python. They are deliberately small and may be obfuscated or hidden inside a legitimate file, so detection focuses on behaviour, new files in the web root and unexpected processes, rather than on a fixed signature.
An attacker first exploits an internet-facing application, for example a file-upload flaw, an unauthenticated vulnerability or a path that allows writing to the web root, then places the script there. That initial access maps to ATT&CK T1190 Exploit Public-Facing Application, and the planted shell itself is T1505.003 Web Shell.
Watch for new or changed executable files in web-served directories, the web-server process spawning shells or system commands, and outbound connections or cloud API calls from a server that normally only serves pages. On cloud hosts, credential use or metadata-service access originating from the web server is a strong signal the shell is pivoting into the account.