cti/enterprise-attack/attack-pattern/attack-pattern--804c042c-cfe6-449e-bc1a-ba0a998a70db.json

{
    "type": "bundle",
    "id": "bundle--ee1c32f8-3eee-4c67-847b-21dd99e480eb",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "attack-pattern",
            "id": "attack-pattern--804c042c-cfe6-449e-bc1a-ba0a998a70db",
            "created": "2017-05-31T21:30:46.047Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T1051",
                    "external_id": "T1051"
                },
                {
                    "source_name": "Apache Server 2018",
                    "description": "Apache. (n.d.). Apache HTTP Server Version 2.4 Documentation - Web Site Content. Retrieved July 27, 2018.",
                    "url": "http://httpd.apache.org/docs/2.4/getting-started.html#content"
                },
                {
                    "source_name": "Webroot PHP 2011",
                    "description": "Brandt, Andrew. (2011, February 22). Malicious PHP Scripts on the Rise. Retrieved October 3, 2018.",
                    "url": "https://www.webroot.com/blog/2011/02/22/malicious-php-scripts-on-the-rise/"
                },
                {
                    "source_name": "Microsoft Web Root OCT 2016",
                    "description": "Microsoft. (2016, October 20). How to: Find the Web Application Root. Retrieved July 27, 2018."
                },
                {
                    "source_name": "capec",
                    "url": "https://capec.mitre.org/data/definitions/563.html",
                    "external_id": "CAPEC-563"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2025-10-24T17:49:01.739Z",
            "name": "Shared Webroot",
            "description": "**This technique has been deprecated and should no longer be used.**\n\nAdversaries may add malicious content to an internally accessible website through an open network file share that contains the website's webroot or Web content directory (Citation: Microsoft Web Root OCT 2016) (Citation: Apache Server 2018) and then browse to that content with a Web browser to cause the server to execute the malicious content. The malicious content will typically run under the context and permissions of the Web server process, often resulting in local system or administrative privileges, depending on how the Web server is configured.\n\nThis mechanism of shared access and remote execution could be used for lateral movement to the system running the Web server. For example, a Web server running PHP with an open network share could allow an adversary to upload a remote access tool and PHP script to execute the RAT on the system running the Web server when a specific page is visited. (Citation: Webroot PHP 2011)",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "lateral-movement"
                }
            ],
            "x_mitre_attack_spec_version": "3.2.0",
            "x_mitre_deprecated": true,
            "x_mitre_domains": [
                "enterprise-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_platforms": [
                "Windows"
            ],
            "x_mitre_version": "1.1"
        }
    ]
}