In addition, some endpoint detection and remediation (EDR) solutions and enhanced host logging solutions may be able to detect web shells. Snort rules can be used to detect common web shell files.

One of the most powerful tools in a threat actor’s arsenal is a web shell, used to infect servers — including those that aren’t internet-facing — to maintain persistent network access. Easily modified ...