216.73.216.133

T1051: Shared Webroot

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:30 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID
T1051
Confidence
100/100
Revoked
No
Published
31/05/2017 23:30
Modified
27/03/2026 01:10
Author / Source
The MITRE Corporation

Aliases

T1051

Platforms

windows

Description

**This technique has been deprecated and should no longer be used.** Adversaries may add malicious content to an internally accessible website through an open network file share that contains the website's webroot or Web content directory (Citation: Microsoft Web Root OCT 2016) (Citation: Apache Server 2018) and then browse to that content with a Web browser to cause the server to execute the malicious content. The malicious content will typically run under the context and permissions of the Web server process, often resulting in local system or administrative privileges, depending on how the Web server is configured. This mechanism of shared access and remote execution could be used for lateral movement to the system running the Web server. For example, a Web server running PHP with an open network share could allow an adversary to upload a remote access tool and PHP script to execute the RAT on the system running the Web server when a specific page is visited. (Citation: Webroot PHP 2011)

Kill chain phases

Kill chainPhase
mitre-attack lateral-movement

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references