Back to Intelligence

ASD Alert: CMS Webshell Campaigns — Detection and Hardening Guide

SA
Security Arsenal Team
July 13, 2026
6 min read

The Australian Signals Directorate (ASD) has issued a critical alert regarding a global, ongoing campaign targeting Content Management Systems (CMS). This is not a theoretical risk; active exploitation is underway, with numerous small and medium-sized businesses already compromised. Attackers are aggressively scanning the internet for vulnerable WordPress, Joomla, and other CMS instances to deploy webshells.

For defenders, this represents a classic but lethal threat vector: initial access via unpatched components followed immediately by persistent backdoors. Once a webshell is established, the attackers have a foothold to move laterally, exfiltrate data, or deploy ransomware. This post dissects the attack mechanics and provides the detection logic and hardening steps needed to stop this campaign now.

Technical Analysis

Affected Platforms: While the alert specifically names WordPress and Joomla, the methodology targets any CMS with known security flaws or exposed administrative interfaces.

Attack Chain:

  1. Reconnaissance: Attackers use automated scanners to identify exposed CMS instances.
  2. Exploitation: They leverage known vulnerabilities in plugins, themes, or core CMS files. While the prompt does not cite specific 2025/2026 CVEs, the ASD notes that "known vulnerabilities" are the entry point, implying a failure to patch against historically significant or recently disclosed flaws.
  3. Webshell Deployment: Upon successful exploitation, attackers upload scripts (typically PHP, ASPX, or JSP) that provide remote code execution (RCE) capabilities.
  4. C2 and Action: The webshell connects to a command-and-control (C2) server or accepts commands via HTTP parameters, allowing the attacker to execute system commands, steal credentials, or maintain persistence.

Technical Severity: The deployment of a webshell effectively bypasses perimeter defenses (firewalls) by tunneling malicious traffic over allowed ports (80/443). The severity is High due to the ease of automation and the total compromise of the web server integrity.

Detection & Response

The following detection rules focus on the behavioral indicators of this campaign: the webserver process spawning a shell (the primary goal of a webshell) and the creation of suspicious script files in web directories.

SIGMA Rules

YAML
---
title: Webserver Process Spawning System Shell - Linux
id: 8a4b2c91-3d6e-4f5a-9b1c-2d3e4f5a6b7c
status: experimental
description: Detects web server processes spawning shell processes, a common indicator of webshell activity.
references:
  - https://attack.mitre.org/techniques/T1505/003/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1505.003
  - attack.webshell
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentProcessName|contains:
      - 'apache2'
      - 'httpd'
      - 'nginx'
      - 'php-fpm'
    Image|endswith:
      - '/sh'
      - '/bash'
      - '/zsh'
      - '/dash'
  condition: selection
falsepositives:
  - Legitimate administrative scripts executed by web servers (rare)
level: high
---
title: Webserver Process Spawning Shell - Windows
id: 9b5c3d02-4e7f-5g6b-0c2d-3e4f5a6b7c8d
status: experimental
description: Detects IIS or other web services spawning cmd.exe or powershell.exe, indicative of webshell execution.
references:
  - https://attack.mitre.org/techniques/T1505/003/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1505.003
  - attack.webshell
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\w3wp.exe'
      - '\php-cgi.exe'
      - '\nginx.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection
falsepositives:
  - Misconfigured web applications
level: high
---
title: Suspicious Script Creation in Web Directories
id: 0c6d4e13-5f8g-6h7c-1d3e-4f5a6b7c8d9e
status: experimental
description: Detects the creation of common webshell script types in web root directories by non-admin users or unusual processes.
references:
  - https://attack.mitre.org/techniques/T1505/003/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1190
  - attack.persistence
logsource:
  category: file_create
  product: linux
detection:
  selection:
    TargetFilename|contains:
      - '/var/www/html/'
      - '/usr/share/nginx/'
      - '/home/www/'
    TargetFilename|endswith:
      - '.php'
      - '.php5'
      - '.phtml'
  filter:
    Image|contains:
      - '/usr/bin/vim'
      - '/usr/bin/nano'
      - '/usr/bin/git'
  condition: selection and not filter
falsepositives:
  - Legitimate developers uploading code
level: medium

KQL (Microsoft Sentinel)

This query hunts for the parent-child process relationship indicative of a webshell gaining code execution on the host.

KQL — Microsoft Sentinel / Defender
// Hunt for webserver processes spawning shells
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ("apache2", "httpd", "nginx", "w3wp.exe", "php-cgi.exe")
| where FileName in ("sh", "bash", "dash", "cmd.exe", "powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, CommandLine, AccountName, SHA256
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for recently modified PHP files in common web directories, which may indicate webshell uploads.

VQL — Velociraptor
-- Hunt for recently modified PHP files in web roots
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs='/var/www/**/*.php')
-- Look for files modified in the last 7 days
WHERE Mtime > now() - 7 * 86400
  -- Exclude typical directories that update frequently (e.g., cache) if necessary, but broad search is better for initial compromise
ORDER BY Mtime DESC
LIMIT 50

Remediation Script (Bash)

This script performs a basic scan for common obfuscation techniques used in PHP webshells within the /var/www/html directory.

Bash / Shell
#!/bin/bash

WEB_ROOT="/var/www/html"
LOG_FILE="/var/log/cms_webshell_scan.log"

echo "Starting CMS Webshell Scan on $(date)" > $LOG_FILE

# Scan for common webshell keywords and base64 strings
# Note: This may generate false positives on legitimate code libraries.
echo "Scanning for suspicious PHP patterns..." >> $LOG_FILE

grep -rnE --include="*.php" \n  -e "eval\(\$" \n  -e "base64_decode" \n  -e "system\(\$" \n  -e "passthru\(\$" \n  -e "shell_exec" \n  -e "assert\(\$" \n  -e "preg_replace.*\/e" \n  -e "create_function" \n  "$WEB_ROOT" >> $LOG_FILE

echo "Scan complete. Results saved to $LOG_FILE"

# Check for recently modified files (last 24 hours)
echo "Listing PHP files modified in the last 24 hours:" >> $LOG_FILE
find "$WEB_ROOT" -type f -name "*.php" -mtime -1 -ls >> $LOG_FILE

echo "Done."

Remediation

  1. Patch Management: Immediately audit all CMS instances (WordPress, Joomla, etc.) for known vulnerabilities. Apply all pending security updates for the core CMS, plugins, and themes. Discontinue any plugins or themes that are no longer maintained by the vendor.
  2. Web Application Firewall (WAF): Ensure your WAF is configured to block known exploit attempts and common webshell upload patterns. Tune rules to minimize false positives while maintaining strict blocking on administrative interfaces.
  3. Compromise Assessment: If activity is detected, assume the server is fully compromised. Conduct a forensic analysis to determine the scope of access. Reset all credentials (database, FTP, SSH, CMS admin) stored or used on the server.
  4. File Integrity Monitoring (FIM): Enable FIM on web directories to alert on any unauthorized changes to core CMS files or the addition of new scripts.
  5. Hardening: Disable unnecessary PHP functions (e.g., exec, shell_exec, passthru, system) in php.ini if they are not required by the application. Restrict write permissions on the web filesystem; the web server user should generally not have write access to code directories.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringwebshellcmswordpressjoomla

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.