CircleCI Atomic Red Team doc generator
36 lines
1.5 KiB
Markdown
36 lines
1.5 KiB
Markdown
# T1100 - Web Shell
|
|
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1100)
|
|
<blockquote>A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). (Citation: Lee 2013)
|
|
|
|
Web shells may serve as [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a persistence mechanism in case an adversary's primary access methods are detected and removed.</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - Web Shell Written to Disk](#atomic-test-1---web-shell-written-to-disk)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - Web Shell Written to Disk
|
|
This test simulates an adversary leveraging Web Shells by simulating the file modification to disk.
|
|
Idea from APTSimulator.
|
|
cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| web_shell_path | The path to drop the web shell | string | C:\inetpub\wwwroot|
|
|
| web_shells | Path of Web Shell | path | C:\AtomicRedTeam\atomics\T1100\shells\|
|
|
|
|
#### Run it with `command_prompt`!
|
|
```
|
|
xcopy #{web_shells} #{web_shell_path}
|
|
```
|
|
|
|
|
|
|
|
<br/>
|