In a blog post published in February 2021, Microsoft noted that web shell attacks had been steadily increasing since mid-2020. There were 140,000 monthly web shell attacks from August 2020 to January 2021, more than twice the average from 2020. The increasing prevalence of these attacks has a simple reason: web shell attacks are easy to author and launch.

So, what are web shell attacks? Why should organizations be more aware of them? And most importantly, how can they protect themselves from these types of advanced cyber attacks?

What Is a Web Shell?

Before exploring web shell attacks, we first need to answer a more fundamental question: what is a web shell?

A web shell is a malicious script or program installed on a web server’s operating system. The shell can be weaponized by a threat actor to gain remote access to the server’s enterprise root directory, run malicious code, or modify or download enterprise files.

In other words, a web shell gives remote hackers read, write, and execution capabilities through a web browser. It also enables additional maneuverability for attackers to develop and execute malware attacks on-the-go.

What Is a Web Shell Attack?

In March 2021, a web shell attack executed by the Chinese cybercriminal group Hafnium made security headlines worldwide. This attack, based on malware called China Copper, targeted a critical vulnerability in Microsoft Exchange email servers.

Microsoft published a blog post highlighting how Hafnium targeted on-premises Exchange Servers with zero-day exploits, primarily in the United States. The attackers exploited existing vulnerabilities to access email accounts and installed additional malware to enable long-term access to these environments.

The China Copper malware has the ability to cause immense damage from a very small package. With a file size of just 4 KB, it provides file and database management, code obfuscation, and other capabilities.

According to Microsoft, several industries are vulnerable to this web shell attack, including:

  • Infectious disease (COVID-19) researchers
  • Law firms
  • Higher education institutions
  • Defense contractors
  • Policy think tanks
  • NGOs

A web shell attack is attractive to threat actors because they don’t need supplementary programs to execute it. In addition, a web shell can be easily developed in any common programming language such as PHP, ASP, ASPX, or .NET. The web shell can then be configured to receive execution instructions, just like any legitimate program.

To implement a web shell attack, an attacker first finds a target web server that contains vulnerable exposures, either in the software or in a plug-in. Then the attacker launches an attack before a patch for the vulnerability is installed. That’s why Microsoft’s blog refers to Hafnium’s web shell attacks in the context of zero-day exploits.

What Are the Dangers of a Web Shell Attack?

Web shells allow attackers to steal data or sensitive resources from victims. Once installed, the shell provides a backdoor to remotely access the compromised web server at any time. The browser acts as a “command console” that triggers the web server to execute the web shell script code. The attacker just accesses the web shell via his or her browser to launch the attack.

The backdoor also allows the attacker to persist in the compromised network, to establish a long-term malicious presence, to perform network reconnaissance, or to launch future malware or ransomware attacks.

In the China Copper attacks, attackers used a remote code execution vulnerability in Outlook Web Access to install web shells. Then they could browse to the URL where the web shell was located to execute malicious activities such as:

  • Run a virtual terminal to launch commands based on cmd.exe
  • Deliver malicious content or links
  • Rewrite scripts, protocols, or files
  • Generate fake news
  • Create malware or ransomware
  • Recruit the target system into a botnet

China Copper is a particularly dangerous web shell because it establishes a backdoor that remains in place even after the Exchange Server vulnerability is patched.


  • At least 10 hacking operations (APTs) are exploiting Exchange Server vulnerabilities;
  • The rate of attacks leveraging these vulnerabilities is doubling every two to three hours;
  • At least 82,000 servers are still unpatched;

In short, web shell attacks are increasingly prevalent, and the risk is extremely high. To mitigate the risk, cybersecurity teams must implement robust defense strategies.

6 Ways to Defend Against Web Shell Attacks

Web shells can be difficult to detect for two reasons. They are very small files; and they can easily be hidden in innocuous or legitimate files, such as photos.

Detection can be addressed, however, by implementing security controls at the interface of the Internet and internet-facing servers to analyze all script file writes and process executions. Another tactic is to compare suspected corrupted or malicious files against a known web shell syntax database, to weed out the malicious web shells before they cause too much damage.

Nonetheless, as cyber-attacks are on the rise, prevention is always better than detection. It’s easier to block attacks by fixing the exploitable vulnerabilities that facilitate the attack. Here are six ways organizations can defend against web shell attacks:

Patch All Software

Vulnerable web server software or plugins are a common attack vector for web shell injections. Security teams must block these entry points by patching and updating all software, including:

  • Web server software
  • Content management systems (CMS)
  • Web applications
  • Third-party software
  • Exchange Servers (the entry point for China Copper)

The best way to find existing vulnerabilities is to refer to a common vulnerabilities and exposures (CVE) directory, such as the one provided by Mitre, and perform regular vulnerability scanning of internet-facing systems.

Deploy an Endpoint Security Solution

An endpoint security solution can prevent web shell installations by analyzing script file writes and process executions to expose malicious behaviors. Attackers can easily modify web shells and bypass static protections. Endpoint security solutions overcome this problem by identifying related malicious activity through behavior inspections and detections.

Monitor File Integrity

By implementing file integrity monitoring and enabling alerts, security teams can identify any unexpected files or scripts into a web server’s directory in real-time; and then take prompt action to remove the web shell.

Make Sensitive Directories Harder to Discover

Any sensitive directory that facilitates file uploads can also enable the upload of malicious web shells. That’s why all default directory names should be changed to make these directories harder to discover. Further, only privileged users should have permissions and access. It’s also advisable to set up a filter for all permitted file types that can be uploaded to the web server.

Deploy Malware Detection Software and a Firewall

Malware detection software can detect web shell files on the web server. A web application firewall (WAF) is also vital since it filters network traffic to prevent web shells and malicious payloads from being injected into the web server.

Remove Unnecessary Plugins and Disable Web Server Functions

Eliminating unnecessary plugins reduces the cyberattack surface by reducing the number of vulnerable vectors an attacker may exploit for a web shell attack. Penetration testing can help find and mitigate such vulnerabilities. It’s also important to only install trusted plugins and disable unused web server functions to stop the execution of web shells.

Detect and Mitigate Threats With ZenGRC

Reduce your exposure and protect your organization from web shell attacks with ZenGRC. ZenGRC is an integrated security management platform that empowers security teams with improved visibility to better manage risks.

Automated workflows allow you to assign tasks, monitor progress, and follow up without manually sending messages. The ZenConnect feature enables integration with popular tools, such as Jira, ServiceNow, and Slack, ensuring seamless adoption within your enterprise.

ZenGRC’s automated features do the tedious tasks for you, allowing you to focus on the bigger picture. The result is more efficient and effective risk management. Contact us today to schedule a free demo of ZenGRC.