The number of monthly web shell attacks has almost doubled since last year, with an average of 140,000 such malicious tools being found on compromised servers every month Microsoft stated

Web shells are tools that threat actors deploy on hacked servers to gain and/or maintain access, as well as to remotely execute arbitrary code or commands, to move laterally within the network, or to deliver additional malicious payloads.

They can be deployed in a large variety of forms, from app plugins and PHP or ASP code snippets injected within web apps to programs designed to provide web shell features and Perl, Python, Ruby, and Unix shell script

The Microsoft Defender Advanced Threat Protection (ATP) team said that it was detecting an average of 77,000 web shells each month, based on data collected from roughly 46,000 distinct devices. 

Web shells trend

Microsoft also provided some tips on how to harden servers against attacks attempting to download and install a web shell.

The list of preventive measures that should prevent web shell attacks include:

  • Identify and remediate vulnerabilities or misconfigurations in web applications and web servers. Use Threat and Vulnerability Management to discover and fix these weaknesses. Deploy the latest security updates as soon as they become available.
  • Implement proper segmentation of your perimeter network, such that a compromised web server does not lead to the compromise of the enterprise network.
  • Enable antivirus protection on web servers. Cloud delivered soln to get the latest defenses against new and emerging threats.
  • Audit and review logs from web servers frequently. Be aware of all systems you expose directly to the internet.
  • Utilize the Windows Defender Firewall, intrusion prevention devices, and your network firewall to prevent command-and-control server communication among endpoints whenever possible, limiting lateral movement, as well as other attack activities.
  • Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.
  • Practice good credential hygiene. Limit the use of accounts with local or domain admin level privileges.