Back to Intelligence

How to Detect and Neutralize Cookie-Controlled PHP Web Shells on Linux Servers

SA
Security Arsenal Team
April 4, 2026
7 min read

How to Detect and Neutralize Cookie-Controlled PHP Web Shells on Linux Servers

Recent findings from the Microsoft Defender Security Research Team have highlighted a sophisticated evolution in web shell tactics. Threat actors are increasingly leveraging HTTP cookies as a control channel for PHP-based web shells on Linux servers, achieving persistence through scheduled tasks (Cron). This technique allows attackers to bypass traditional security controls that typically inspect URL parameters or POST bodies, leaving many organizations exposed to unauthorized code execution.

Introduction

Web shells are a persistent menace in the cybersecurity landscape, providing attackers with a backdoor to maintain control over compromised servers. Historically, defenders have looked for command-and-control (C2) traffic in query strings or request bodies. However, adversaries are adapting. By moving command instructions into HTTP cookies—a field often overlooked by basic Web Application Firewalls (WAFs) and log analysis tools—attackers can blend in with legitimate traffic. Furthermore, by establishing persistence via Cron jobs, they ensure continued access even if the initial web shell is discovered. Understanding this shift is critical for security teams tasked with defending Linux web environments.

Technical Analysis

The threat involves PHP scripts uploaded to a compromised web server. Unlike traditional web shells that accept commands via $_GET or $_POST parameters, these scripts read from $_COOKIE variables to execute code.

  • Mechanism: The web shell waits for a specific cookie to be set in the HTTP request header. The value of this cookie contains the malicious PHP code (e.g., system(), eval(), or shell_exec() calls). Because the cookie value is not typically logged by default in many web server access logs, and because it doesn't appear in the URL, standard signature-based detections often miss it.
  • Persistence: Once the shell is established, the attacker modifies the server's crontab to re-establish the shell or execute malicious payloads periodically. This creates a "dead man's switch" or a repair mechanism, making remediation difficult.
  • Affected Systems: Linux servers running PHP (e.g., Apache/Nginx with PHP-FPM).
  • Severity: High. This leads to full Remote Code Execution (RCE) and potential server takeover.

Defensive Monitoring

To effectively defend against this threat, security operations centers (SOCs) must broaden their visibility beyond standard URL inspection. The following detection rules and hunt queries are designed to identify the behavioral indicators of cookie-controlled web shells and their persistence mechanisms.

SIGMA Rules

These SIGMA rules focus on the persistence aspect (Cron jobs executing web-related binaries) and the execution of shells by web server processes.

YAML
---
title: Linux Web Server Process Spawning System Shell
id: 8f3a4b1c-5d6e-7f8a-9b0c-1d2e3f4a5b6c
status: experimental
description: Detects web server processes spawning shells, a common indicator of web shell execution.
references:
  - https://attack.mitre.org/techniques/T1505/003/
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.execution
  - attack.t1505.003
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|contains:
      - '/apache'
      - '/nginx'
      - '/httpd'
      - '/php-fpm'
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/zsh'
      - '/bin/php'
  condition: selection
falsepositives:
  - Legitimate administrative scripts executed by web UIs
level: high
---
title: Cron Job Executing PHP or Web Server Binary
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects Cron jobs executing PHP binaries or web servers, often used for persistence by web shells.
references:
  - https://attack.mitre.org/techniques/T1053/003/
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.persistence
  - attack.t1053.003
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith: '/crond'
    Image|endswith:
      - '/php'
      - '/php-cli'
      - '/apache2'
      - '/nginx'
  condition: selection
falsepositives:
  - Valid system maintenance scripts scheduled via Cron
level: medium
---
title: Suspicious File Write by Web Server Process
id: b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects web server processes writing files to sensitive system directories like /etc/cron.d/, indicating potential persistence setup.
references:
  - https://attack.mitre.org/techniques/T1105/
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.defense_evasion
  - attack.t1105
logsource:
  category: file_event
  product: linux
detection:
  selection:
    Image|contains:
      - '/apache'
      - '/nginx'
      - '/httpd'
    TargetFilename|contains:
      - '/etc/cron'
      - '/var/spool/cron'
  condition: selection
falsepositives:
  - Legitimate CMS configuration updates (rare)
level: high

KQL Queries (Microsoft Sentinel/Defender)

Use these queries to hunt for suspicious process creation patterns and file modifications associated with this threat.

KQL — Microsoft Sentinel / Defender
// Detect Web Server processes spawning shells
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~("apache", "nginx", "httpd", "php-fpm")
| where FileName in~("bash", "sh", "zsh", "python", "perl")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, CommandLine, FileName
| order by Timestamp desc


// Detect Cron jobs executing PHP or suspicious scripts
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "crond"
| where FileName in~("php", "wget", "curl", "perl")
| project Timestamp, DeviceName, AccountName, CommandLine, InitiatingProcessCommandLine
| order by Timestamp desc


// Look for high entropy or suspicious cookie values in Syslog (if WAF logs are ingested)
// Note: This relies on specific log formats like Common Log Format or JSON logs
Syslog
| where TimeGenerated > ago(1d)
| where SyslogMessage contains "Cookie"
| extend CookiePart = extract("Cookie: ([^\r\n]*)", 1, SyslogMessage)
| where isnotempty(CookiePart)
| where CookiePart matches regex @"[\%=\{\}]" // Simple heuristic for encoded code or PHP tags
| project TimeGenerated, Computer, SyslogMessage, CookiePart

Velociraptor VQL Hunt Queries

These Velociraptor artifacts hunt for suspicious Cron jobs and recently modified PHP files that may indicate a web shell.

VQL — Velociraptor
-- Hunt for suspicious Cron jobs referencing web directories or obfuscated commands
SELECT * FROM foreach(
  row=glob(globs='/etc/cron.*', '/var/spool/cron/*'),
  query={
    SELECT 
      OSPath,
      Data,
      timestamp(epoch=Sys.Mtime) AS ModifiedTime
    FROM read_file(filename=OSPath)
    WHERE Data =~ 'php' 
       OR Data =~ 'base64'
       OR Data =~ 'eval\('
       OR Data =~ 'wget|curl'
  }
)


-- Hunt for recently modified PHP files in web roots (Last 7 days)
SELECT 
  OSPath,
  Size,
  timestamp(epoch=Sys.Mtime) AS ModifiedTime,
  Mode.String AS Permissions
FROM glob(globs='/var/www/html/**/*.php')
WHERE Sys.Mtime > now(timestamp=-604800) -- 7 days ago
  AND Permissions =~ 'w' -- Check if writeable
ORDER BY ModifiedTime DESC

Bash Verification Scripts

Run these scripts on your Linux servers to audit current Cron configurations and web file integrity.

Bash / Shell
#!/bin/bash
# Audit Cron jobs for PHP or web root references
echo "[+] Checking system Cron jobs for suspicious PHP or Web commands..."
for user in $(cut -f1 -d: /etc/passwd); do
  crontab -u $user -l 2>/dev/null | grep -E "php|curl|wget|eval|base64" && echo "Found suspicious crontab for user: $user"
done

echo "[+] Checking /etc/cron.d for suspicious entries..."
grep -RHInE "php|curl|wget|eval|base64" /etc/cron.d/* 2>/dev/null


#!/bin/bash
# Find recently created or modified PHP files in common web directories
echo "[+] Searching for recently modified PHP files (last 24h)..."
find /var/www /home/*/public_html -name "*.php" -mtime -1 -ls 2>/dev/null

Remediation

If you suspect a compromise or want to harden your environment against this threat, take the following steps:

  1. Audit Web Application Logs: Immediately review access logs for unusually long Cookie headers or high-entropy strings. Configure WAFs to inspect and block cookies containing PHP functions (e.g., base64_decode, system, exec).
  2. Cron Job Hygiene: Audit all Cron jobs on web servers. Remove any tasks that are not strictly necessary for business operations. Ensure that web roots are not writable by the web server user (www-data, apache, nginx) to prevent the web shell from writing its own Cron entry.
  3. File Integrity Monitoring (FIM): Implement FIM on web directories to alert on new or modified PHP files.
  4. Patch and Update: Ensure all CMSs (WordPress, Drupal, etc.) and plugins are up to date to prevent the initial file upload vulnerability that leads to web shell infection.
  5. Isolation: If a web shell is confirmed, isolate the server from the network immediately to prevent the attacker from maintaining access via the cookie channel while forensics are performed.

By shifting detection focus to the persistence mechanisms (Cron) and the behavioral context (process lineage), defenders can catch these stealthy cookie-controlled threats before they cause significant damage.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub

penetration-testingred-teamoffensive-securityexploitlinuxweb-shellsphpthreat-hunting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action