Web shells are malicious files uploaded to compromised web servers to perform attacker-specified actions such as downloading files on the server, providing directory listings or making files on the server available for download for the attacker. On April 22nd, the NSA tweeted out a link to a 17-page document on detecting and preventing web shells. Because web shells are often deployed as scripts using a language such as PHP, they can be difficult to detect due to the ease of obfuscation and ability to change the script each time it is deployed. To help organizations put the document into practice, the NSA has a GitHub repository dedicated to web shell detection and mitigation as well.
When evaluating a Managed Detection & Response (MDR) service there are 5 critical components that