T1505.003 - Web Shell - MITRE ATT&CK - Cyber Threat Intelligence

T1505.003 - Web Shell

Sub-technique

Tattiche:
Persistence

Piattaforme:
Linux macOS Network Devices Windows

Rilevamento:
Not specified

Description:

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)

In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013)

Usato da Attori (20)

APT28
Nation-state

APT29
Nation-state

OilRig
Nation-state

Volatile Cedar
Unknown

APT32
Nation-state

Tonto Team
Nation-state

APT5
Unknown

Kimsuky
Nation-state

MUSTANG PANDA
Nation-state

APT39
Unknown

Sea Turtle
Unknown

GALLIUM
Unknown

Fox Kitten
Unknown

HAFNIUM
Unknown

BackdoorDiplomacy
Unknown

FIN13
Unknown

Volt Typhoon
Unknown

Medusa Group
Unknown

Dragonfly
Unknown

Sandworm Team
Unknown

Malware (19)

SEASHARPEE other reGeorg other BUSHWALK other P.A.S. Webshell other GLASSTOKEN other ASPXSpy other China Chopper other SnappyTCP other LIGHTWIRE other Line Runner other RAPIDPULSE other PULSECHECK other OwaAuth other SUPERNOVA other Neo-reGeorg other FRAMESTING other WIREFIRE other STEADYPULSE other SLIGHTPULSE other

Metadata

MITRE ID:	T1505.003
STIX ID:	attack-pattern--5d0d3609-d06d-...
Piattaforme:	Linux, macOS, Network Devices, Windows
Created:	13/01/2026 17:48
Updated:	06/03/2026 16:00