A hurried recovery from backups is one of the most common mistakes in incident response practice: if the backup was infected, restoring it risks repeating the incident.
Now we have some stats to confirm the popularity of this mistake, as our Compromise Assessment experts prepared an analytical report on missed incidents detected in 2025 after requests to this service.
One of the most common threats found this way is web shells: they were encountered in 8% of our compromise assessment projects; 64% of these web shell incidents were classified as high-criticality.
And the persistence of web shells in the systems often occurs through backups: according to the report, 60% of all discovered web shells were located in active systems, but 40% were stored in backups and remained unnoticed until a full-fledged assessment was carried out.
A common problem that helps to hide this threat is asset inventory gaps, which were observed in 25% of engagements. This resulted in untracked devices, particularly cloud-only Linux web servers that are not joined to Active Directory, evading routine scans.
An attacker can plant a web shell on such a cloud server, and that server never appears in the inventory, though it is still regularly backed up. As a result, the web shell may persist on the cloud server for a long time. If it is occasionally deleted, the backup server later restores the infected files.
In one case we found a web shell located on an internal file server (not a web server) within a .rar archive at the following path:
D:\backup\[СКРЫТО].rar/wwwroot/<…>/[СКРЫТО].aspxDuring the investigation, the server administrators indicated that the folder had been copied from a different server that was offline at the time of the assessment. Because of poor asset inventory, the company’s security team did not detect the infection of that machine. As a result of the backup procedure, the web shell was copied to the internal file server.
Forensic analysis of the offline server revealed that the adversary had introduced a backdoor to the majority of the Windows servers in the environment, configuring the local admin accounts with an identical password. The attack involved using PsExec to execute a .cmd script across all those servers to alter the local admin passwords (see the screenshot above).
Other examples of unnoticed incidents, as well as recommendations for their detection and prevention, will be presented at the webinar Missed Incidents: Compromise Assessment Insights by our experts Victor Sergeev and Amged Wageh on July 2 at 17:00 Moscow time on the Brighttalk platform: https://www.brighttalk.com/webcast/15591/669960
