Microsoft has reported that they have observed around 140,000
web shells a month, up from roughly 77,000 last August. Through web shell attacks, hackers can execute commands via a graphical or command-line interface on a hacked server, control the hacked server, steal data and login credentials, use the devices to launch two-stage attacks, and move laterally throughout the network.
The company’s stats have shown the crucial role of web shells as an entry point and persistence mechanism for attacks on public-facing systems in corporate IT networks. Detection is difficult due to their flexible use with almost every programming language that runs on a web server, such as ASP, JSP, JS, or PHP.