Webshell Deployment

§ Where this technique fits

§ Dossiers chaining this technique

• ProxyShell → SYSTEM on Exchange → DA

  Pre-auth ProxyShell chain (path confusion + EWS email-to-PowerShell + arbitrary file write) deploys a webshell as SYSTEM. Same post-exploitation as ProxyLogon.

  step 3 / 6

• ProxyLogon → webshell on Exchange → DA

  Unauth SSRF + auth bypass against on-prem Exchange (CAS) — write a webshell as SYSTEM on the Exchange server, dump LSASS for cached domain creds, pivot to DA.

  step 3 / 6

• Spring4Shell (CVE-2022-22965) → JSP webshell on Tomcat

  Send a crafted POST that uses Spring's data-binding to mutate Tomcat's logging configuration — turn its access log into a JSP file written under webapps/, then request it.

  step 4 / 6

• MOVEit Transfer (CVE-2023-34362) → mass data exfil (Cl0p)

  Pre-auth SQLi in MOVEit's web UI forges an admin session. .NET deserialisation chain drops a webshell as SYSTEM. Cl0p's 2023 mass-exfil playbook: download every file under /var/files.

  step 4 / 6

• Unpatched Confluence (CVE-2023-22515) → internal foothold

  Internal Confluence instance reachable from the corporate VLAN. Trivial privilege-escalation CVE creates an admin user; webshell uploaded; pivot into AD service accounts.

  step 4 / 6

• File upload bypass → webshell → RCE

  Upload filter checks extension or MIME but not magic bytes / final path. Bypass via double extension, content-type spoof, or polyglot, then call the dropped script.

  step 4 / 6

• LFI → log poisoning → RCE

  Local file inclusion that reads the web server's access log. Send a request whose User-Agent contains PHP, then LFI the log file to execute it.

  step 6 / 6

§ What commonly comes next

1. 01
   LSASS via procdump / comsvcs.dll

   W-LSASS-PROCDUMP · Credential Access
   seen 3×
2. 02
   Command and Scripting Interpreter

   T1059 · Execution
   seen 1×
3. 03
   Exfiltration Over C2 Channel

   T1041 · Exfiltration
   seen 1×
4. 04
   OS Command Injection

   W-CMDI · Execution
   seen 1×