MITRE ATT&CK Technique
Description
**This technique has been deprecated and should no longer be used.** Adversaries may add malicious content to an internally accessible website through an open network file share that contains the website's webroot or Web content directory (Citation: Microsoft Web Root OCT 2016) (Citation: Apache Server 2018) and then browse to that content with a Web browser to cause the server to execute the malicious content. The malicious content will typically run under the context and permissions of the Web server process, often resulting in local system or administrative privileges, depending on how the Web server is configured. This mechanism of shared access and remote execution could be used for lateral movement to the system running the Web server. For example, a Web server running PHP with an open network share could allow an adversary to upload a remote access tool and PHP script to execute the RAT on the system running the Web server when a specific page is visited. (Citation: Webroot PHP 2011)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:30:46.047Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '**This technique has been deprecated and should no longer be '
'used.**\n'
'\n'
'Adversaries may add malicious content to an internally '
'accessible website through an open network file share that '
"contains the website's webroot or Web content directory "
'(Citation: Microsoft Web Root OCT 2016) (Citation: Apache '
'Server 2018) and then browse to that content with a Web '
'browser to cause the server to execute the malicious content. '
'The malicious content will typically run under the context '
'and permissions of the Web server process, often resulting in '
'local system or administrative privileges, depending on how '
'the Web server is configured.\n'
'\n'
'This mechanism of shared access and remote execution could be '
'used for lateral movement to the system running the Web '
'server. For example, a Web server running PHP with an open '
'network share could allow an adversary to upload a remote '
'access tool and PHP script to execute the RAT on the system '
'running the Web server when a specific page is visited. '
'(Citation: Webroot PHP 2011)',
'external_references': [{'external_id': 'T1051',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1051'},
{'description': 'Apache. (n.d.). Apache HTTP Server '
'Version 2.4 Documentation - Web Site '
'Content. Retrieved July 27, 2018.',
'source_name': 'Apache Server 2018',
'url': 'http://httpd.apache.org/docs/2.4/getting-started.html#content'},
{'description': 'Brandt, Andrew. (2011, February 22). '
'Malicious PHP Scripts on the Rise. '
'Retrieved October 3, 2018.',
'source_name': 'Webroot PHP 2011',
'url': 'https://www.webroot.com/blog/2011/02/22/malicious-php-scripts-on-the-rise/'},
{'description': 'Microsoft. (2016, October 20). How '
'to: Find the Web Application Root. '
'Retrieved July 27, 2018.',
'source_name': 'Microsoft Web Root OCT 2016'},
{'external_id': 'CAPEC-563',
'source_name': 'capec',
'url': 'https://capec.mitre.org/data/definitions/563.html'}],
'id': 'attack-pattern--804c042c-cfe6-449e-bc1a-ba0a998a70db',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'lateral-movement'}],
'modified': '2025-10-24T17:49:01.739Z',
'name': 'Shared Webroot',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': True,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.1'}