T1505.003
Description
The following data was produced to emulate IIS, w3wp.exe, spawning shells, simulating web shell activity. In addition, behavior related to Microsoft Exchange Server's Unified Messaging services, umworkerprocess.exe and umservice.exe, spawning a child process. Behaviors are related to vulnerabilities exploited by HAFNIUM Group. The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
MITRE ATT&CK Techniques
| ID | Technique | Tactic |
|---|---|---|
| T1505.003 | Web Shell | Persistence |
Environment Details
| Field | Value |
|---|---|
| Environment | attack_range |
| Directory | T1505.003 |
| Test Date | 2025-10-28 |
Datasets
The following datasets were collected during this attack simulation:
Windows-Sysmon_proxylogon
- Path:
/datasets/attack_techniques/T1505.003/windows-sysmon_proxylogon.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows-Sysmon_umservices
- Path:
/datasets/attack_techniques/T1505.003/windows-sysmon_umservices.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows-Sysmon
- Path:
/datasets/attack_techniques/T1505.003/windows-sysmon.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Moveit_windows-Sysmon
- Path:
/datasets/attack_techniques/T1505.003/moveit_windows-sysmon.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Wsus-Windows-Sysmon
- Path:
/datasets/attack_techniques/T1505.003/wsus-windows-sysmon.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Wsus-Sa-Windows-Sysmon
- Path:
/datasets/attack_techniques/T1505.003/wsus-sa-windows-sysmon.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Wsus-Iis
- Path:
/datasets/attack_techniques/T1505.003/wsus-iis.log - Sourcetype:
iis - Source:
iis
Wsus-Suricata
- Path:
/datasets/attack_techniques/T1505.003/wsus-suricata.log - Sourcetype:
suricata - Source:
suricata
Wsus-7053-Windows-Application
- Path:
/datasets/attack_techniques/T1505.003/wsus-7053-windows-application.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Application
Related Detections
The following detections in our security content repository use this attack data for testing:
| Detection Name | Type | Source | MITRE ATT&CK | Analytic Story |
|---|---|---|---|---|
| Windows WSUS Spawning Shell | TTP |
Endpoint | T1190, T1505.003 | Microsoft WSUS CVE-2025-59287 |
| Detect Exchange Web Shell | TTP |
Endpoint | T1133, T1190, T1505.003 | ProxyNotShell, CISA AA22-257A, HAFNIUM Group, ProxyShell, Compromised Windows Host, BlackByte Ransomware, Seashell Blizzard, GhostRedirector IIS Module and Rungan Backdoor |
| Windows Suspicious Child Process Spawned From WebServer | TTP |
Endpoint | T1505.003 | Flax Typhoon, BlackByte Ransomware, CISA AA22-257A, HAFNIUM Group, CISA AA22-264A, ProxyShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, ProxyNotShell, Medusa Ransomware, WS FTP Server Critical Vulnerabilities, Compromised Windows Host, Citrix ShareFile RCE CVE-2023-24489, Microsoft SharePoint Vulnerabilities, GhostRedirector IIS Module and Rungan Backdoor, Microsoft WSUS CVE-2025-59287 |
| Windows SharePoint Spinstall0 Webshell File Creation | TTP |
Endpoint | T1190, T1505.003 | Microsoft SharePoint Vulnerabilities |
| Windows MOVEit Transfer Writing ASPX | TTP |
Endpoint | T1190, T1133 | MOVEit Transfer Critical Vulnerability, Hellcat Ransomware |
| W3WP Spawning Shell | TTP |
Deprecated | T1505.003 | ProxyNotShell, Data Destruction, ProxyShell, Hermetic Wiper, CISA AA22-257A, HAFNIUM Group, BlackByte Ransomware, CISA AA22-264A, Flax Typhoon, WS FTP Server Critical Vulnerabilities, PHP-CGI RCE Attack on Japanese Organizations, Microsoft SharePoint Vulnerabilities, GhostRedirector IIS Module and Rungan Backdoor |
Usage Instructions
Replay with Splunk Attack Data
Replay attack data with replay.py from Splunk Attack Data.
1python replay.py --dataset /datasets/attack_techniques/T1505.003/windows-sysmon_proxylogon.log --index attack_data
Manual Import
- Download the dataset files from the paths listed above
- Configure your Splunk instance with the appropriate sourcetypes
- Import the logs using the Splunk Add Data wizard
Related Content
Find more detections and analytics for this attack technique in our security content repository.
Source: GitHub | Version: 1.0