Summary

Microsoft's Defender Security Research Team has identified a new threat where threat actors utilize HTTP cookies as a control mechanism for PHP-based web shells on Linux servers, enabling remote code execution.

Key Points

• Threat actors are using HTTP cookies to control PHP web shells on Linux servers.
• This method allows for remote code execution without exposing command execution through URL parameters or request bodies.
• The findings were reported by the Microsoft Defender Security Research Team.
• The technique involves using threat actor-supplied cookie values to manage execution.

Analysis

The discovery of this technique highlights a sophisticated method of achieving remote code execution on Linux servers through PHP web shells. By using HTTP cookies, threat actors can obscure their activities, making detection and mitigation more challenging. This underscores the need for robust monitoring and security measures to detect such covert channels.

Conclusion

IT professionals should enhance their monitoring of HTTP cookies and web shell activities on Linux servers. Implementing advanced threat detection solutions and regular security audits can help mitigate the risks associated with this emerging threat.