T1505.003Web Shell
T1505.003 — Web Shell is a MITRE ATT&CK technique in the Persistence tactic. Clankerusecase tracks 53 detection use cases covering it and 20 threat-intel articles citing it.
Persistence
53Use cases
20Articles
0Sub-techniques
1Tactic
↑ Parent technique: T1505 · Server Software Component
Use cases covering this technique (53)
[WEEKLY] Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint [WEEKLY] Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) [WEEKLY] Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution [WEEKLY] Post-Auth Privilege Boundary Crossing on Edge/Management Appliances (low-priv -> admin within 10m) [WEEKLY] Self-hosted application service spawns shell or SSH within seconds of inbound unauthenticated API write [WEEKLY] Service-process parent spawns subprocess containing CLI-argument-injection tokens [WEEKLY] Web-Server Process Post-Exploit Anchor: Plugin/Extension RCE Leading to Shell Spawn or Webroot Script Drop Detect Exchange Web Shell MS Exchange Mailbox Replication service writing Active Server Pages Windows Metasploit Confluence Plugin Execution Windows Potential Web Shell Creation For VMware Workspace ONE Windows SharePoint Spinstall0 Webshell File Creation Windows Suspicious Child Process Spawned From WebServer Windows TeamCity Payload Execution from Temp Directory Windows TeamCity Plugin Installed Windows WSUS Spawning Shell Cisco Configuration Archive Logging Analysis Cisco Secure Firewall - Privileged Command Execution via HTTP Exploit Public Facing Application via Apache Commons Text Spring4Shell Payload URL Request Supernova Webshell Tomcat Session Deserialization Attempt Tomcat Session File Upload Attempt Web JSP Request via URL Windows SharePoint Spinstall0 GET Request Windows SharePoint ToolPane Endpoint Exploitation Attempt Detect Webshell Exploit Behavior W3WP Spawning Shell [LLM] Write to Splunk .pgpass or ssg_enable_modular_input.py from unexpected process [LLM] Unexpected .jsp files written under PSEMHUB.war web application [LLM] PeopleSoft XMLDecoder persistence — XML file changes under envmetadata/data/environment [LLM] Webserver process writes PHP-executable file to public web-root or upload directory (CVE-2026-48062) [LLM] Webserver / PHP interpreter spawns shell or LOLBin — post-upload RCE indicator [LLM] HTTP.sys / IIS w3wp.exe spawning shell or LOLBin (CVE-2026-47291 post-exploit) [LLM] Pheditor CVE-2026-48030 — webshell drop: PHP / web account writing .php to webroot [LLM] Erlang .beam compiled module dropped to /tmp, /dev/shm, or %TEMP% by BEAM runtime [LLM] w3wp.exe spawning interpreter or LOLBin (http.sys exploitation / IIS RCE marker) [LLM] Web-server process (php-fpm / apache / nginx / w3wp) spawning shell or network tooling [LLM] Phar archive or PHPSpreadsheet RCE marker written by web-server process [LLM] VerdantBamboo BRICKSTORM / PLENET / AGENTPSD file-hash IOCs [LLM] DbGate Zip Slip (CVE-2026-47669): node process writes outside archive dir to OS-sensitive paths [LLM] Hazy Scorpius (CL0P) Oracle EBS exploitation via CVE-2025-61882 — concurrent processing spawns shell/wget [LLM] Apache Camel JVM writing files to sensitive paths via camel-file (CVE-2026-47323 arbitrary file write) [LLM] Algernon web server spawning shell child process (CVE-2026-45721 handler.lua RCE) [LLM] handler.lua dropped outside Algernon's configured web root (CVE-2026-45721 backdoor stage) [LLM] PHP / IIS web-server writes .php/.phtml/.phar to webroot (post-SSTI webshell drop) [LLM] n8n Node.js parent spawning OS shell — post-exploit RCE indicator for CVE-2026-44791 [LLM] XenShell / Godzilla / Behinder JSP webshell file write on Cisco SD-WAN Manager [LLM] Java/Tomcat process writes .jsp webshell file to disk (CVE-2026-40478 post-exploit drop) [LLM] Inbound HTTP request bearing sidoraress backdoor x-operation operator tokens [LLM] Compromised tj-actions/changed-files commit SHA referenced on host (CVE-2025-30066 IOC hunt) [LLM] Struts CVE-2023-50164 path-traversal upload — HTTP exploit attempt [LLM] Tomcat/Java process writes .jsp/.jspx webshell into webapp directoryArticles citing this technique (20)
crit ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities art-37