S1108: PULSECHECK
PULSECHECK is a web shell written in Perl that was used by APT5 as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) companies.[1]
Analyst context for executives and security teams
PULSECHECK matters because it represents a Perl web shell observed on VPN/network-device infrastructure, including Pulse Secure VPNs, where compromise can become a durable entry point into sensitive environments. For executives and security leaders, the decision issue is not just malware cleanup; it is whether internet-facing access infrastructure has enough logging, integrity monitoring, patch governance, and incident response playbooks to prove that a web shell would be found and contained.
Executive priority
Prioritize this as a resilience and evidence problem for externally exposed network devices and Linux-based web services. The supplied ATT&CK context links PULSECHECK to APT5 use and to web shell persistence, Unix shell execution, web-protocol command and control, and standard encoding. Leaders should ask whether VPN and network-device security is covered by the same detection, vulnerability management, and audit evidence standards as endpoints and servers, especially in defense, telecommunications, aerospace, or similarly sensitive operating environments.
Technical view
SOC and IR teams should validate visibility on Network Devices and Linux systems that host web-accessible services, especially VPN infrastructure. Because ATT&CK provides no official detection text for PULSECHECK, coverage should be derived from the related techniques: T1505.003 Web Shell, T1059.004 Unix Shell, T1071.001 Web Protocols, and T1132.001 Standard Encoding. Practical validation should focus on unexpected Perl or shell execution from web service contexts, suspicious web-accessible files or scripts, anomalous HTTP/S patterns to administrative or VPN paths, encoded command or response content, and post-compromise command execution evidence.
Likely telemetry
- VPN and network-device web access logs
- Web server request logs and administrative interface logs
- File integrity or configuration change records on web-accessible directories
- Process execution telemetry for Perl and Unix shell activity on Linux or network-device operating environments
- Network traffic metadata for HTTP/S sessions involving exposed appliances
Detection direction
- Confirm that internet-facing VPN and network-device logs are centralized, retained, and searchable; these assets are often a blind spot compared with managed endpoints.
- Hunt for web shell persistence indicators such as unexpected web-accessible Perl scripts, modified application files, or new files in appliance web directories, while accounting for legitimate vendor maintenance changes.
- Correlate web requests with local command execution where telemetry allows, especially Perl or Unix shell activity initiated by web service processes.
- Inspect suspicious HTTP/S traffic patterns for encoded parameters or payloads consistent with standard encoding, without assuming encoding alone is malicious.
- Use the APT5 relationship as threat-intelligence context for prioritization, not as proof of attribution in a local incident.
Mitigation priorities
- Maintain a current inventory of exposed VPN, network-device, and Linux web-service assets, including ownership and logging status.
- Prioritize timely remediation and configuration hardening for internet-facing access infrastructure, particularly VPN appliances.
- Restrict and monitor administrative access to network devices and VPN platforms.
- Enable centralized logging, file integrity monitoring where feasible, and incident response collection procedures for appliances that may not support full endpoint agents.
- Prepare containment playbooks for suspected web shell activity, including credential review, device integrity validation, and forensic preservation.
Analyst notes and limits
The ATT&CK object identifies PULSECHECK as a Perl web shell used by APT5 as early as 2020, including against Pulse Secure VPNs at US Defense Industrial Base companies. Relationship context connects it to web shell persistence, Unix shell execution, web-protocol C2, and standard encoding. This supports defensive prioritization around exposed access infrastructure and appliance telemetry, but local evidence is required before making any incident-specific conclusion.
MITRE does not provide official detection guidance, aliases, labels, or object-level tactics for PULSECHECK. The assessment is constrained to the supplied platforms, description, external reference, and relationships; it does not establish current exploitation, customer exposure, or guaranteed detection coverage.
PULSECHECK
PULSECHECK is a web shell written in Perl that was used by APT5 as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) companies.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | PULSECHECK can check HTTP request headers for a specific backdoor key and if found will output the result of the command in the variable `HTTP_X_CMD.`CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | PULSECHECK can use Unix shell script for command execution.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1505.003 | Web Shell Sub-technique | PULSECHECK is a web shell that can enable command execution on compromised servers.CitationMandiant Pulse Secure Zero-Day April 2021 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | PULSECHECK can base-64 encode encrypted data sent through C2.CitationMandiant Pulse Secure Zero-Day April 2021 |
Groups, software, and campaigns
G1023: APT5
APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[1][2][3][4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | a6b231f3cd64… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant Pulse Secure Zero-Day April 2021
Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
Open source URL -
[2]
mitre-attack S1108Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.