MITRE ATT&CK / T1505.003
T1505.003
Web Shell
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013)
Platforms
Mitigations
- M1042 — Disable or Remove Feature or Program
- M1018 — User Account Management
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Our coverage
- CVE-2026-9082: Critical Drupal SQL Injection Under Attack on Thousands of Sites
- CVE-2026-20182: Cisco Catalyst SD-WAN CVSS 10.0 Auth Bypass Actively Exploited
- cPanel and WHM Patch Three Vulnerabilities Including RCE and Privilege Escalation
- Metasploit Adds ARMLE Support to CVE-2026-31431 Copy Fail Linux Root Exploit
- Salt Typhoon Compromises 200+ Networks in Global PRC Telecom Espionage Campaign
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →