Attackers deploy these web shells through multiple vectors, primarily uploading malicious payloads via crafted POST requests targeting vulnerable endpoints on IIS servers or associated services like SharePoint. The exploitation often utilizes server software vulnerabilities, including authentication bypass flaws and remote code execution weaknesses in IIS modules or third-party applications. Common web shell filenames undergo deliberate modification to avoid detection, with attackers employing names like spinstall0.aspx, spinstall1.aspx, and cmd.aspx to masquerade as legitimate system files.
Once successfully deployed, these web shells provide adversaries with extensive server control capabilities, allowing arbitrary command execution, data exfiltration, and raised privilege operations. The malicious actors typically establish persistence by creating new local user accounts, modifying existing credentials, and installing remote access tools such as AnyDesk, configured for automatic startup during server reboots.
Web shells grant attackers comprehensive server control, enabling command execution, data theft, and persistent access through backdoor accounts and remote tools.
Attack chains frequently involve systematic reconnaissance through built-in commands including whoami, systeminfo, and ipconfig to gather critical system information. Data exfiltration operations utilize archiving tools like 7-Zip to compress target directories before transferring sensitive materials, including MachineKey data that facilitates further cryptographic attacks. Downloaded archives undergo automatic deletion to eliminate forensic evidence. Adversaries often establish reverse TCP connections using encoded PowerShell commands to maintain persistent communication channels with compromised servers.
The most sophisticated attacks employ IIS module-based web shells that use event handlers to intercept requests invisibly, effectively bypassing standard request logging mechanisms. These advanced implementations hide communications within request bodies, headers, custom HTTP methods, or non-existent URLs, transforming every web page into a potential shell access point. Threat actors increasingly favor child process execution over direct loading into w3wp.exe to evade detection by security monitoring systems.
Additional evasion techniques include obfuscated source code, dynamic payload loading, ephemeral files, and memory-only payloads that greatly reduce detection opportunities. Command and control communications utilize encrypted or obfuscated channels, including reverse TCP PowerShell shells, and file and user account masquerading tactics complicate detection by mimicking legitimate system artifacts.
