Preface: Web shells are a well-known attacker technique, but they are often difficult to detect because of their proficiency in blending in with an existing web application.

Details: to gain root access to server. Web shells malware are frequently chosen by APT group; however these are just a small number of known used web shells.

Vulnerabilities and Environment executable frequently used by attackers:

CVE-2019-0604 (affecting Microsoft SharePoint)
CVE-2019-19781 (affecting Citrix appliances)
CVE-2019-3396 and CVE-2019-3398 (affecting Atlassian Confluence Server and Data Center Widget Connector)
CVE-2019-9978 (affecting the social-warfare plugin for WordPress)
CVE-2019-18935, CVE-2017-11317 and CVE-2017-11357 (affecting Progress Telerik UI)
CVE-2019-11580 (affecting Atlassian Crowd)
CVE-2020-10189 (affecting Zoho ManageEngine Desktop Central)
CVE-2019-8394 (affecting Zoho ManageEngine ServiceDesk Plus)
CVE-2020-0688 (affecting Microsoft Exchange Server)
CVE-2018-15961 (affecting Adobe ColdFusion).

Remark: Web shells malware are frequently chosen by APT group; however these are just a small number of known used web shells.

Official announcement – https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2159419/detect-prevent-cyber-attackers-from-exploiting-web-servers-via-web-shell-malware/