DET0394: Web Shell Detection via Server Behavior and File Execution Chains
This detection strategy is about finding web shell activity by looking beyond a single suspicious file and validating how a web server behaves when server-...
Analyst context for executives and security teams
This detection strategy is about finding web shell activity by looking beyond a single suspicious file and validating how a web server behaves when server-side files are executed. For leaders, the practical issue is persistence: the related ATT&CK technique, Web Shell, describes adversaries backdooring web servers to maintain access and potentially use the server as a gateway into the network.
Executive priority
Treat this as a resilience and incident-readiness control area for internet-facing and internally exposed web services. The key business question is whether the organization can prove it collects enough server, file, and process evidence to identify abnormal web server execution chains before persistence turns into broader access. This is also useful for audit and risk discussions because it ties detection coverage to a named ATT&CK persistence technique, T1505.003 Web Shell.
Technical view
MITRE provides the strategy name but no official description, detection logic, platforms, or tactics for DET0394. The relationship states that it detects T1505.003 Web Shell, which is associated with persistence and platforms including Linux, macOS, Network Devices, and Windows. SOC and detection teams should therefore validate visibility around web server behavior, server-side script/file execution, and child process or command execution patterns from web service contexts, while adapting details to the actual web technologies and operating systems in use.
Likely telemetry
- Web server access and error logs
- File creation, modification, and execution records in web-accessible directories
- Process creation telemetry showing web server parent/child execution chains
- Command-line and script execution logs where available
- Endpoint detection and response telemetry from web servers
Detection direction
- Map DET0394 coverage to T1505.003 Web Shell rather than treating it as a standalone fully specified analytic, because MITRE did not provide detection text for this object.
- Validate whether detections correlate server requests, file changes, and process execution instead of relying only on filename or extension matching.
- Tune for legitimate administrative, deployment, and application maintenance activity to reduce false positives around expected file writes and script execution.
- Prioritize visibility for systems hosting web services across the related ATT&CK platforms: Linux, macOS, Network Devices, and Windows, where applicable in the local environment.
- Check blind spots where web server logs, endpoint process telemetry, or file integrity evidence are missing, short-retained, or not centrally searchable.
Mitigation priorities
- Inventory web-exposed servers and confirm which are in scope for web shell monitoring and incident response playbooks.
- Harden change control and file integrity monitoring around web-accessible directories and server-side script locations.
- Ensure endpoint and server logging captures process creation, command-line context, and relevant file events on web servers.
- Limit web service account privileges so abnormal execution has reduced ability to persist or move further into the environment.
- Prepare IR procedures for suspected web shell persistence, including evidence preservation, scoping, credential review, and validation of authorized application changes.
Analyst notes and limits
DET0394 is a detection strategy object with only a name and external reference supplied. Its practical value comes from the relationship to T1505.003 Web Shell and the strategy title, which indicates emphasis on server behavior and file execution chains. Local web stack details, deployment practices, and available telemetry will determine what a usable detection looks like.
The official object fields supplied do not include a description, detection pseudocode, data sources, platforms, or tactics for DET0394. Any implementation must be validated against the organization’s actual web servers, operating systems, logging coverage, and normal administrative activity. No active exploitation, attribution, or guaranteed detection coverage is asserted.
Web Shell Detection via Server Behavior and File Execution Chains
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a1c0bd731a51… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0394Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.