S0598: P.A.S. Webshell
P.A.S. Webshell is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.[1]
Analyst context for executives and security teams
P.A.S. Webshell matters because it represents a publicly available PHP webshell that can give an intruder remote access and command execution on a web server. For leaders, the practical risk is not the tool name; it is whether internet-facing PHP/web infrastructure can be used as a persistent gateway into Linux or Windows environments, followed by discovery, file access, tool transfer, credential guessing, and database collection behavior reflected in the ATT&CK relationships.
Executive priority
Prioritize this as a web-server resilience and incident-readiness issue. Ask whether externally reachable web applications have strong file integrity monitoring, web access logging, command execution visibility, and rapid containment procedures. The relationship to multiple ATT&CK techniques makes this relevant to audit evidence for monitoring coverage, vulnerability and configuration management of web servers, and IR decisions about whether a suspicious PHP file is only a website issue or a potential entry point into broader systems and data stores.
Technical view
SOC and IR teams should validate coverage around Linux and Windows web servers running PHP-capable applications. ATT&CK provides no dedicated detection text for this malware, so detection should be derived from the related behaviors: web shell persistence, web-protocol command and control, command/script execution, file and directory discovery, local account discovery, software and network service discovery, ingress tool transfer, file deletion, obfuscation/deobfuscation, permission changes on Linux/macOS-style file systems, password guessing, local data collection, and database collection. Treat a suspected P.A.S. Webshell as a starting point for scoping follow-on activity, not as an isolated web artifact.
Likely telemetry
- Web server access logs and error logs for unusual PHP requests, administrative paths, parameters, user agents, and source patterns
- File integrity and deployment telemetry for new or modified PHP files under web-accessible directories
- Process creation telemetry from web server parent processes launching command or scripting interpreters
- Host file system events covering discovery, deletion, permission changes, and unexpected tool placement
- Network telemetry for outbound HTTP/S or web-protocol traffic from web servers and internal service discovery behavior
Detection direction
- Baseline expected web application file changes so newly introduced or modified PHP files in web roots can be investigated quickly.
- Correlate web requests with downstream host activity, especially a web server process spawning shells, interpreters, discovery commands, file operations, or network utilities.
- Tune detections for web-protocol traffic from servers that normally should not initiate arbitrary outbound sessions, while allowing for legitimate application integrations.
- Investigate web server access followed by local file discovery, account discovery, software discovery, service scanning, or database access as a higher-confidence pattern than any single event.
- Account for common blind spots: limited logging on legacy web servers, lack of command-line telemetry on Linux, missing file integrity coverage for application directories, and insufficient database audit logging.
Mitigation priorities
- Reduce exposure of PHP-capable web applications through patching, secure configuration, least-privilege service accounts, and restricted administrative access.
- Implement controlled deployment and file integrity monitoring for web directories so unauthorized PHP content is detectable and reversible.
- Limit what web server identities can execute, read, modify, and reach on the network, especially databases and internal services.
- Constrain outbound connectivity from web servers to required destinations and monitor exceptions.
- Strengthen authentication controls and lockout/rate-limiting where password guessing could affect reachable services.
Analyst notes and limits
The supplied ATT&CK object identifies P.A.S. Webshell as a publicly available multifunctional PHP webshell in use since at least 2016. It is related to Sandworm Team and Ember Bear via 'uses' relationships, and it maps to multiple techniques spanning persistence, execution, discovery, credential access, collection, command and control, stealth, and defense impairment. These relationships support broad defensive scoping, but they do not by themselves prove activity in any specific environment.
Official detection text is not provided, tactics are not specified on the malware object, and no indicators, file names, hashes, or procedural details are included in the supplied fields. Local technology stack, web application design, logging depth, and change-management records are required to determine exposure and detection quality.
P.A.S. Webshell
P.A.S. Webshell is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | P.A.S. Webshell can use a decryption mechanism to process a user supplied password and allow execution.CitationANSSI Sandworm January 2021 |
| Enterprise | T1083 | File and Directory Discovery | P.A.S. Webshell has the ability to list files and file characteristics including extension, size, ownership, and permissions.CitationANSSI Sandworm January 2021 |
| Enterprise | T1505.003 | Web Shell Sub-technique | P.A.S. Webshell can gain remote access and execution on target web servers.CitationANSSI Sandworm January 2021 |
| Enterprise | T1005 | Data from Local System | P.A.S. Webshell has the ability to copy files on a compromised host.CitationANSSI Sandworm January 2021 |
| Enterprise | T1222.002 | Linux and Mac Permissions Sub-technique | P.A.S. Webshell has the ability to modify file permissions.CitationANSSI Sandworm January 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | P.A.S. Webshell can issue commands via HTTP POST.CitationANSSI Sandworm January 2021 |
| Enterprise | T1059 | Command and Scripting Interpreter | P.A.S. Webshell has the ability to create reverse shells with Perl scripts.CitationANSSI Sandworm January 2021 |
| Enterprise | T1518 | Software Discovery | P.A.S. Webshell can list PHP server configuration details.CitationANSSI Sandworm January 2021 |
| Enterprise | T1027 | Obfuscated Files or Information | P.A.S. Webshell can use encryption and base64 encoding to hide strings and to enforce access control once deployed.CitationANSSI Sandworm January 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | P.A.S. Webshell can delete scripts from a subdirectory of /tmp after they are run.CitationANSSI Sandworm January 2021 |
| Enterprise | T1046 | Network Service Discovery | P.A.S. Webshell can scan networks for open ports and listening services.CitationANSSI Sandworm January 2021 |
| Enterprise | T1213.006 | Databases Sub-technique | P.A.S. Webshell has the ability to list and extract data from SQL databases.CitationANSSI Sandworm January 2021 |
| Enterprise | T1110.001 | Password Guessing Sub-technique | P.A.S. Webshell can use predefined users and passwords to execute brute force attacks against SSH, FTP, POP3, MySQL, MSSQL, and PostgreSQL services.CitationANSSI Sandworm January 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | P.A.S. Webshell can upload and download files to and from compromised hosts.CitationANSSI Sandworm January 2021 |
| Enterprise | T1087.001 | Local Account Sub-technique | P.A.S. Webshell can display the /etc/passwd file on a compromised host.CitationANSSI Sandworm January 2021 |
Groups, software, and campaigns
G1003: Ember Bear
Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).[1] Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.[2] Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.[3][4][1] There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.[2][5]
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c6c4c5b09d85… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ANSSI Sandworm January 2021
ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
Open source URL -
[2]
Fobushell
(Citation: NCCIC AR-17-20045 February 2017)
-
[3]
NCCIC AR-17-20045 February 2017
NCCIC. (2017, February 10). Enhanced Analysis of GRIZZLY STEPPE Activity. Retrieved April 12, 2021.
Open source URL -
[4]
mitre-attack S0598Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.