T1505.003 — Web Shell

Technique

T1505.003

Tactics

Persistence

MISP citations

0

KEV CVEs mapped

26

Community rules

34

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1505/003

MITRE description

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW) In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2025-4427
• CVE-2025-42999
• CVE-2025-3928
• CVE-2025-35939
• CVE-2025-31324
• CVE-2024-21893
• CVE-2024-21887
• CVE-2023-46805
• CVE-2023-32315
• CVE-2023-26360
• CVE-2023-22952
• CVE-2023-20118
• CVE-2022-41082
• CVE-2022-22963
• CVE-2022-22954
• CVE-2021-44228
• CVE-2021-44077
• CVE-2021-40539
• CVE-2021-27860
• CVE-2021-27065
• CVE-2021-26858
• CVE-2021-26857
• CVE-2021-26855
• CVE-2020-0688
• CVE-2019-18935
• CVE-2019-0604

Detection coverage

SigmaHQ community rules

• Rejetto HTTP File Server RCE (emerging-threats)
• Oracle WebLogic Exploit (emerging-threats)
• Solarwinds SUPERNOVA Webshell Access (emerging-threats)
• CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit (emerging-threats)
• DEWMODE Webshell Access (emerging-threats)
• MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request (emerging-threats)
• Suspicious Process Spawned by CentreStack Portal AppPool (emerging-threats)
• Potential Java WebShell Upload in SAP NetViewer Server (emerging-threats)
• Potential SAP NetViewer Webshell Command Execution (emerging-threats)
• Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790) (emerging-threats)
• Execution From Webserver Root Folder (threat-hunting)
• Antivirus Web Shell Detection (core)
• Webshell Remote Command Execution (core)
• Shellshock Expression (core)
• Linux Webshell Indicators (core)
• Suspicious Windows Strings In URI (core)
• Webshell ReGeorg Detection Via Web Logs (core)
• Windows Webshell Strings (core)
• Certificate Request Export to Exchange Webserver (core)
• Mailbox Export to Exchange Webserver (core)
• Exchange Set OabVirtualDirectory ExternalUrl Property (core)
• Suspicious File Drop by Exchange (core)
• Suspicious ASPX File Drop by Exchange (core)
• Suspicious MSExchangeMailboxReplication ASPX Write (core)
• Suspicious File Write to Webapps Root Directory (core)

Showing 25 of 34 community rules — the full set is tagged attack.t1505.003 in SigmaHQ.

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.