MITRE ATT&CK Technique
Persistence
T1100
Description
A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). (Citation: Lee 2013) Web shells may serve as [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a persistence mechanism in case an adversary's primary access methods are detected and removed.
Supported Platforms
Linux
Windows
macOS
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:31:13.061Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'A Web shell is a Web script that is placed on an openly '
'accessible Web server to allow an adversary to use the Web '
'server as a gateway into a network. A Web shell may provide a '
'set of functions to execute or a command-line interface on '
'the system that hosts the Web server. In addition to a '
'server-side script, a Web shell may have a client interface '
'program that is used to talk to the Web server (see, for '
'example, China Chopper Web shell client). (Citation: Lee '
'2013)\n'
'\n'
'Web shells may serve as [Redundant '
'Access](https://attack.mitre.org/techniques/T1108) or as a '
"persistence mechanism in case an adversary's primary access "
'methods are detected and removed.',
'external_references': [{'external_id': 'T1100',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1100'},
{'external_id': 'CAPEC-650',
'source_name': 'capec',
'url': 'https://capec.mitre.org/data/definitions/650.html'},
{'description': 'Lee, T., Hanzlik, D., Ahl, I. (2013, '
'August 7). Breaking Down the China '
'Chopper Web Shell - Part I. '
'Retrieved March 27, 2015.',
'source_name': 'Lee 2013',
'url': 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html'},
{'description': 'US-CERT. (2015, November 13). '
'Compromised Web Servers and Web '
'Shells - Threat Awareness and '
'Guidance. Retrieved June 8, 2016.',
'source_name': 'US-CERT Alert TA15-314A Web Shells',
'url': 'https://www.us-cert.gov/ncas/alerts/TA15-314A'}],
'id': 'attack-pattern--c16e5409-ee53-4d79-afdc-4099dc9292df',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:49:19.776Z',
'name': 'Web Shell',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'Windows', 'macOS'],
'x_mitre_version': '1.1'}