Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

Microsoft's Defender Security Research Team has published findings on an increasingly common technique used by threat actors to maintain persistent access on compromised Linux web servers: PHP-based web shells that use HTTP cookies as a covert command-and-control (C2) channel, combined with cron job persistence to survive server reboots and security sweeps.

The Cookie-as-C2 Technique

Traditional PHP web shells expose command execution through obvious indicators — URL parameters like ?cmd=whoami or POST request body fields are easily detected by web application firewalls (WAFs) and security monitoring tools. The technique observed by Microsoft Defender takes a more covert approach.

Instead of embedding commands in URLs or request bodies, attackers embed execution instructions within HTTP cookie headers. Because cookie traffic is voluminous and often excluded from deep inspection in WAF rulesets, these commands blend into legitimate web traffic.

How It Works

1. Web shell is planted on a compromised server, often disguised as a legitimate PHP file or hidden among CMS plugin files
2. Attacker sends a crafted HTTP request to the server containing a cookie with an encoded command (e.g., Cookie: session=<base64-encoded-command>)
3. The PHP web shell parses the cookie, decodes the command, and runs it via PHP OS command functions
4. Output is returned in the HTTP response body, often disguised as normal web content or Base64-encoded within standard response fields

This approach means that from a network monitoring perspective, all traffic looks like ordinary HTTP sessions to the web application.

Cron Persistence Mechanism

A key finding from Microsoft's research is how these web shells ensure persistent access even after server reboots, PHP process restarts, or partial remediation attempts.

Threat actors are deploying cron jobs that:

• Re-download the web shell from an attacker-controlled server if it is removed
• Re-establish necessary file permissions to keep the shell executable
• Rotate the web shell filename on a schedule to evade file integrity monitoring tools that check for specific known-malicious filenames

This multi-layered persistence strategy means that simply removing the identified web shell file does not remediate the compromise — the cron job will restore it within minutes.

Detection Challenges

Microsoft's researchers identified several reasons why this technique is particularly difficult to detect:

• Cookie-based C2 bypasses parameter-focused WAF rules that look for command injection patterns in URLs and POST bodies
• PHP web shells disguised as cache or temporary files avoid suspicious filenames
• Cron jobs installed under legitimate service accounts avoid standing out in process audits
• Low request volume — attackers issue commands infrequently to avoid anomalous traffic patterns

Indicators of Compromise

Organizations should look for:

• Unusual PHP files in web-accessible directories that were not part of original deployments
• Cron jobs that reference curl, wget, or file download commands targeting external IP addresses
• Outbound connections from web server processes (e.g., apache, nginx, www-data) to unusual external destinations
• Cookie headers containing high-entropy base64 strings in web access logs
• File modification timestamps that do not align with deployment records

Affected Environments

This technique is particularly prevalent against:

• WordPress, Joomla, and Drupal installations with vulnerable plugins that allow initial file write
• Web applications with file upload functionality that lacks sufficient content-type validation
• Legacy PHP applications running on older server configurations without modern security hardening

Recommended Mitigations

Microsoft recommends:

1. Enable PHP open_basedir restrictions to limit the directories PHP can access
2. Disable dangerous PHP functions where not required by application functionality
3. Deploy file integrity monitoring across all web-accessible directories with alerting on new or modified PHP files
4. Audit cron jobs for all system users, including service accounts, after any security incident
5. Review web access logs for anomalous cookie header content and outbound connection patterns from web processes
6. Use WAF rules that inspect cookie values for encoded payloads in addition to URL parameters

Broader Context

This research fits into a growing body of work documenting how attackers are using legitimate protocol features — cookies, HTTP headers, DNS TXT records, cloud storage APIs — as covert channels to avoid detection. As perimeter defenses improve, threat actors increasingly rely on techniques that blend malicious traffic with normal operational patterns.

The use of cron for persistence on Linux servers is well-documented in red team literature, but its combination with cookie-based C2 represents an increasingly mature operational security posture among threat actors targeting web infrastructure.

Source: The Hacker News