Webshell Deployment

Detects deployment of web shells, backdoor scripts, and malicious web application files

14 rules in webshell_deployment.yml

CRITICAL: 11 | HIGH: 3

Rule IDSeverityTitleDescriptionRefs
antsword_webshellCRITICALAntSword Webshell DeploymentDeploys content associated with AntSword, a webshell management platform
CWE-506T1027SA-11CIS-10.1
aspx_webshellCRITICALASPX Webshell DeploymentDeploys an ASPX file with Process.Start or cmd.exe invocation patterns
CWE-94T1505.003A03:2021SA-11CIS-10.1
behinder_webshellCRITICALBehinder Webshell DeploymentDeploys content associated with Behinder (冰蝎), an encrypted webshell supporting PHP/JSP/.NET
CWE-506T1027SA-11CIS-10.1
china_chopper_webshellCRITICALChina Chopper Webshell PatternDetects the classic China Chopper one-liner pattern that evaluates HTTP request parameters
CWE-506T1027SA-11CIS-10.1
godzilla_webshellCRITICALGodzilla Webshell DeploymentDeploys content associated with Godzilla, a Java/.NET encrypted webshell framework
CWE-506T1027SA-11CIS-10.1
jsp_webshellCRITICALJSP Webshell DeploymentDeploys a JSP file with Runtime.exec or ProcessBuilder patterns used in webshells
CWE-94T1505.003A03:2021SA-11CIS-10.1
named_php_shellsCRITICALKnown PHP Webshell Deployment (b374k/c99/r57)Deploys known named PHP webshells (b374k, c99, r57) to web-accessible paths
CWE-506T1027SA-11CIS-10.1
nodejs_web_backdoorCRITICALNode.js Web Backdoor DeploymentWrites Node.js files combining HTTP server functionality with child_process command execution to web directories
CWE-506T1505.003SA-11CIS-10.1
php_webshellCRITICALPHP Webshell DeploymentDeploys a PHP file containing shell execution functions commonly used in webshells
CWE-94T1505.003A03:2021SA-11CIS-10.1
python_webshellCRITICALPython Webshell / Backdoor ServerStarts a Python HTTP server with command execution capabilities
CWE-94T1505.003A03:2021SA-11CIS-10.1
weevely_webshellCRITICALWeevely Webshell GeneratorInvokes weevely, a PHP backdoor generator that creates encrypted webshells with shell-like sessions
CWE-506T1027SA-11CIS-10.1
cgi_script_deploymentHIGHCGI Script Deployment to Web DirectoryTask deploys a .pl/.py/.sh/.rb/.cgi script under /var/www/cgi-bin (or nginx/lampp/srv equivalents). Executable scripts in CGI directories are the classic webshell deployment shape.
CWE-912T1505.003SA-11CIS-16.1
perl_cgi_webshellHIGHPerl CGI Webshell DeploymentDeploys Perl CGI scripts with system execution capabilities to web directories
CWE-912T1505.003SA-11CIS-16.1
web_directory_writeHIGHSuspicious File Write to Web RootWrites executable or script files directly to web server document roots
CWE-434T1505.003A04:2021V5.2.2SA-11CIS-16.1