Hunting Web Shells

Finding malicious ASPX/PHP files using file integrity monitoring and log analysis.

Web Shell Indicators

Web shells are backdoors uploaded to web servers.

File Anomalies: ASPX/PHP files in upload directories

IIS Logs: POST requests to unusual files

Process Execution: w3wp.exe spawning cmd.exe