# WebShells

This demo assumes a server compromise and that the attacker has already uploaded a webshell to the compromised host for persistence.

## Execution

Below illustrates the existence of a simple webshell on a compromised Windows 2008R at 10.0.0.6 running IIS web service. It also shows output of the classic system enumeration commands - `net`, `whoami`, `ipconfig`, etc:

![](/files/-LIlormD3ElNfCK64DXd)

## Observations

Note that this particular webshell's HTTP requests are sent to the webserver via POST method which means that looking at the IIS web logs will not allow you to see what commands were executed using the webshell. The only things you will just will be a bunch of POST requests to the `c.aspx` file:

![](/files/-LIlorn6ehx0vOHTisXX)

However, if you are collecting network traffic data, you can see the attacker's commands and their outputs:

![](/files/-LIlormZDTYrEyjlL0fh)

![](/files/-LIlseogsMAGXqsx7_QX)

Looking at sysmon process creation logs, we can immediately identify nefarious behaviour - we can see multiple enumeration commands being invoked from `c:\windows\system\inetsrv` working directory under a `ISS\APPOOL\DefaultAppPool` user - this should not happen under normal circumstances and should raise your suspicion:

![](/files/-LIlormx2iVGvOhoXyNG)

## References

{% embed url="<https://attack.mitre.org/wiki/Technique/T1108>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.ired.team/offensive-security/privilege-escalation/t1108-redundant-access.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.