0xAnalyst / webshells
webshells
ASPX webshells written for EDR and YARA detection testing. Each shell targets a specific telemetry source or detection gap. For use in isolated lab environments only.
Defensive research ASPX / .NET IIS EDR testing SIEM testing YARA
19
Shells
5
Categories
12
ATT&CK TTPs
2
Original shells
Target: EDR SIEM Both
Filter:
๐Ÿ“ Original shells 2 files
Both
Poweraspx.aspx
PowerShell execution via ASPX. Tests w3wp.exe โ†’ powershell.exe parent-chain detection.
T1059.001View โ†’
EDR
CreateProcessWebshell.aspx
P/Invoke kernel32!CreateProcess. Tests DllImport and direct process creation signatures.
T1059 ยท T1106View โ†’
โš™๏ธ Execution evasion execution-evasion/ 3 files
Both
COMShell.aspx
WScript.Shell via late-bind COM. Breaks w3wp.exe chain โ€” no cmd.exe spawn.
T1559.001View โ†’
Both
WMIShell.aspx
Win32_Process.Create โ€” fully detached, parent PID is WMI not IIS.
T1047View โ†’
EDR
MSBuildShell.aspx
Drops and runs a .proj via MSBuild.exe. Tests LOLBin and trusted binary abuse.
T1127.001View โ†’
EDR
CreateProcess_Dynamic.aspx
kernel32!CreateProcessA via GetProcAddress โ€” no static DllImport, no cleartext API names. Defeats static YARA string rules.
T1106 ยท T1027View โ†’
EDR
ShellExecuteEx_Runas.aspx
shell32!ShellExecuteEx with runas + SW_HIDE. Avoids CreateProcess logging, runs under different user context with minimal command-line visibility.
T1548.002 ยท T1106View โ†’
EDR
CreateProcessAsUser_Impersonate.aspx
advapi32!CreateProcessAsUser with impersonated token + CREATE_SUSPENDED. Breaks process lineage โ€” no parent-child relation to w3wp.exe.
T1134.001 ยท T1055View โ†’
๐Ÿ”’ Obfuscation obfuscation/ 2 files
EDR
XorShell.aspx
XOR + base64 runtime decode. Defeats static YARA string rules โ€” forces behavioral detection.
T1027View โ†’
EDR
RoslynShell.aspx
CSharpScript.EvaluateAsync โ€” compiles C# at runtime. No disk write, no static signature.
T1027.010View โ†’
EDR
InMemory_Assembly_XOR.aspx
XOR-encoded .NET assembly loaded via Assembly.Load โ€” no file on disk, static analysis bypass via encoding. Uses System.Diagnostics.Process via reflected assembly.
T1027 ยท T1620View โ†’
๐Ÿ’‰ Process injection injection/ 2 files
EDR
ReflectivePEShell.aspx
In-memory PE load without LoadLibrary or disk write. Tests NtProtectVirtualMemory scanning.
T1620View โ†’
EDR
SyscallShell.aspx
Direct NtAllocateVirtualMemory syscall stubs. Bypasses user-mode EDR hooks entirely.
T1055View โ†’
EDR
WinExec_Syscall.aspx
ntdll!NtCreateProcess via direct syscall using Heaven's Gate stub โ€” no ntdll in memory. Bypasses EDR user-land hooks completely.
T1055 ยท T1562.006View โ†’
๐Ÿ“ก Network / C2 network-c2/ 2 files
SIEM
DoHShell.aspx
Commands in DNS-over-HTTPS queries on port 443. Tests SIEM coverage beyond port-53 DNS.
T1071.004View โ†’
SIEM
WebSocketShell.aspx
Persistent bidirectional WebSocket channel. Tests long-lived connection detection from w3wp.exe.
T1071.001View โ†’
๐Ÿ›ก๏ธ Defense evasion defense-evasion/ 2 files
EDR
ETWPatchShell.aspx
EtwEventWrite nop-patch โ€” blinds ETW-based EDR telemetry. Tests tamper-protection coverage.
T1562.006View โ†’
EDR
AMSIPatchShell.aspx
AmsiScanBuffer patch โ€” disables AMSI scanning in-process. Tests AMSI tamper detection rules.
T1562.001View โ†’
EDR
NtCreateProcess_Unhook.aspx
Fresh ntdll mapped from disk, EDR hooks removed before NtCreateProcess invocation. Tests whether EDR detects clean-copy unhooking.
T1562.001 ยท T1055View โ†’
EDR
WMI_Com_ETW_AMSI_Patch.aspx
In-process AMSI + ETW patching before Win32_Process.Create via COM. Disables script scanning and ETW logging in one shell โ€” combined evasion test.
T1562.001 ยท T1562.006 ยท T1047View โ†’
โš ๏ธ For authorized security testing and EDR/SIEM validation in controlled lab environments only. Unauthorized use against systems you do not own or have explicit permission to test is illegal.