Cookie-Controlled PHP Web Shells & Cron Persistence: Detection & Remediation

Microsoft Defender Security Research Team has uncovered a sophisticated shift in web shell tactics targeting Linux environments. Threat actors are increasingly abandoning traditional GET/POST parameter-based command execution in favor of HTTP cookies as a control channel for PHP-based web shells.

This technique is particularly dangerous because it bypasses standard Web Application Firewall (WAF) inspections and traditional log parsing, which often prioritize URL parameters and request bodies over headers. Furthermore, attackers are leveraging these compromised systems to establish persistence via cron jobs, ensuring continued access even if the initial web vulnerability is patched. Defenders must immediately update their detection logic to monitor header anomalies and process lineage on web servers.

Technical Analysis

Affected Platforms:

Linux servers running PHP (Ubuntu, Debian, CentOS, RHEL, etc.)
Web servers: Apache, NGINX, LiteSpeed
PHP-based applications (CMS, custom web apps)

The Attack Chain:

Initial Access: Attackers exploit a vulnerability (e.g., file upload, RCE) or misconfiguration to upload a malicious PHP script.
Execution (The Twist): Unlike standard shells that read commands from $_GET['cmd'] or $_POST['cmd'], these scripts read from the $_COOKIE array. The attacker sends a request with a specific cookie header (e.g., Cookie: cmd=cat /etc/passwd).
Stealth: This evasion technique helps the payload blend in with normal application traffic, as many security tools do not deep-scan cookie headers for code execution patterns.
Persistence: Once established, the web shell modifies the crontab for the web server user (e.g., www-data or apache). This scheduled task often executes the shell or a reinfection payload periodically, maintaining access without requiring the attacker to return via the web vector.

Risk Assessment:

Severity: High
Exploitation Status: Active exploitation confirmed by Microsoft in the wild.
Defensive Gap: Standard SIEM use cases often miss cookie-based data exfiltration or C2.

Detection & Response

This threat requires a multi-layered detection approach focusing on the behavior of the web server process and file system modifications rather than just network traffic headers.

Sigma Rules

YAML

---
title: Linux Web Server Spawning System Shell
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects web server processes spawning shells, indicative of web shell execution via cookie or parameter exploitation.
references:
  - https://attack.mitre.org/techniques/T1505/003/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.004
  - attack.web_shell
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|contains:
      - 'apache'
      - 'nginx'
      - 'httpd'
      - 'php-fpm'
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/dash'
      - '/zsh'
      - '/python'
      - '/perl'
  condition: selection
falsepositives:
  - Legitimate server administration scripts (rare for web user context)
level: high
---
title: Web Server User Utilizing Crontab for Persistence
id: b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects the web server user (e.g., www-data) executing crontab, a strong indicator of persistence following web shell compromise.
references:
  - https://attack.mitre.org/techniques/T1053/003/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.persistence
  - attack.t1053.003
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith: '/crontab'
    User|contains:
      - 'www-data'
      - 'apache'
      - 'nginx'
  condition: selection
falsepositives:
  - Legitimate administrative tasks scheduled by web admins (very rare)
level: critical

KQL (Microsoft Sentinel / Defender)

This query hunts for web server processes spawning command-line interpreters, which occurs regardless of whether the command came from a GET parameter or a Cookie.

KQL — Microsoft Sentinel / Defender

DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("apache2", "httpd", "nginx", "php-fpm")
| where FileName in~ ("sh", "bash", "dash", "python", "perl", "php")
| extend HostName = DeviceName
| project Timestamp, HostName, AccountName, InitiatingProcessFileName, FileName, CommandLine, InitiatingProcessCommandLine
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for the specific signature of cookie-controlled web shells in the web root. Since access logs may not contain the Cookie header, file system scanning is critical.

VQL — Velociraptor

-- Hunt for PHP files containing $_COOKIE references often used for stealthy C2
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs='/var/www/**/*.php')
WHERE read_file(filename=FullPath) =~ '\$_COOKIE'
   OR read_file(filename=FullPath) =~ 'eval\(.*\$_COOKIE'

Remediation Script (Bash)

Run this script on suspected compromised Linux web servers to identify indicators of the cookie-controlled web shell and cron persistence.

Bash / Shell

#!/bin/bash

# Hunt for Cookie-Controlled PHP Web Shells and Cron Persistence
# Usage: sudo ./hunt_webshell.sh

echo "[*] Starting hunt for Cookie-Controlled Web Shells..."

# Define web roots (adjust as necessary)
WEB_ROOTS=("/var/www/html" "/var/www" "/usr/share/nginx/html")

# 1. Search for PHP files using $_COOKIE for C2
echo "[+] Scanning for PHP files referencing \$_COOKIE (potential C2 channel)..."
for root in "${WEB_ROOTS[@]}"; do
    if [ -d "$root" ]; then
        grep -r -l -i '\$_COOKIE' "$root" --include="*.php" 2>/dev/null | while read -r file; do
            # Filter out common framework libraries to reduce noise (example filter)
            if ! echo "$file" | grep -qiE "vendor|framework|lib"; then
                echo "[!] Suspicious file found: $file"
                # Optional: Print context
                # grep -i '\$_COOKIE' "$file" | head -n 2
            fi
        done
    fi
done

# 2. Check for Cron Persistence by web users
echo "[*] Checking for crontab persistence by web users..."
WEB_USERS=("www-data" "apache" "nginx")

for user in "${WEB_USERS[@]}"; do
    # Check if user exists and has a crontab
    if id "$user" &>/dev/null; then
        CRON_FILE="/var/spool/cron/crontabs/$user"
        if [ -f "$CRON_FILE" ]; then
            echo "[!] Crontab found for $user:"
            cat "$CRON_FILE"
        fi
        # Also try crontab -l if permissions allow or running as root
        if [ "$EUID" -eq 0 ]; then
            crontab -u "$user" -l 2>/dev/null && echo "[!] Crontab listing for $user (via crontab -l):"
        fi
    fi
done

echo "[*] Hunt complete. Review findings above."

Remediation

Immediate Isolation: If a web shell is confirmed, isolate the affected server from the network immediately to prevent further C2 communication or lateral movement.
Remove Persistence: Delete the malicious cron entries found in /var/spool/cron/ or via crontab -u [user] -e. Ensure no other persistence mechanisms (e.g., SSH keys) were added.
Remove Malware: Delete the identified PHP files. Be cautious not to delete legitimate framework code; verify the code is malicious (e.g., base64_decode combined with $_COOKIE).
Patch and Update: Ensure the underlying CMS or web application is patched to prevent re-upload of the shell.
Log Enrichment (Post-Incident): Configure your web server logs (Apache/Nginx) to log the Cookie header. This is risky for PII compliance but critical for forensic visibility of this specific attack vector.
- Nginx: Add http_log_cookie to the log_format.
- Apache: Use %{Cookie}i in the LogFormat directive.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub