What Is a Backdoor Attack? Types and Detection

On December 13, 2020, FireEye disclosed that an update to the SolarWinds Orion network monitoring platform had been shipping a backdoor. The malicious code, called SUNBURST, rode into roughly 18,000 of SolarWinds' 300,000 customers inside a plugin that SolarWinds itself digitally signed. It sat dormant for up to two weeks, then beaconed out to attacker infrastructure that looked like normal Orion telemetry. The US and UK later attributed the campaign to Russia's foreign intelligence service, tracked as APT29. The defenders running Orion had patched, monitored, and signed-code-verified their way to a false sense of safety. The attacker walked in through the front door their own trusted vendor held open.

A backdoor attack is the planting and use of a hidden access method that bypasses a system's normal authentication. The point is not the break-in. The point is what comes after: a way back in that survives a password reset, a reboot, and often the cleanup that follows an incident. This guide covers what a backdoor is, the types you will actually encounter, how attackers install them and use them for persistence and command and control, how they map to MITRE ATT&CK, and the artifacts that give them away. It is written for the people who have to find one in their own environment: SOC analysts, threat hunters, and DFIR responders.

What is a backdoor attack?

A backdoor is any mechanism that lets someone reach a system or its data while skipping the authentication everyone else has to pass. A backdoor attack is the act of installing one and using it. The defining trait is bypass: a normal user logs in, a backdoor user does not have to.

Two things separate a backdoor from the rest of an intrusion. First, it is access, not damage. A backdoor does not encrypt files or steal data by itself; it is the door through which someone returns to do those things on their schedule. Second, it is meant to persist. A phished password works until the password changes. A backdoor is built to outlast that, which is why so many of them install as a service, a scheduled task, or code baked into something the system trusts.

Not every backdoor is criminal in origin. Some start as legitimate engineering: a maintenance hook a developer left in to debug a release, a hardcoded support account a vendor ships to recover locked devices, an undocumented diagnostic port. The intent was convenience. The effect is the same as a planted implant, because anyone who finds the hidden path can use it. The most dangerous backdoors are the ones nobody on the defending side knows exist.

A backdoor is one stage of a larger attack, and it usually sits downstream of an initial compromise: phishing, an exploited vulnerability, a stolen credential, or malware delivered some other way. The attacker gets in once, then drops a backdoor so the next visit costs nothing. That is the asymmetry defenders fight. You have to close every way in. The attacker only has to keep one.

Types of backdoors

Backdoors differ by where they live and how deep they sit. The deeper the layer, the harder the backdoor is to see and the longer it tends to survive. These categories overlap in practice, but the distinctions drive how you hunt for each one.

Web shells. A web shell is a script (PHP, ASP, JSP) planted on a public-facing web server that gives the attacker command execution through ordinary HTTP requests. It is the most common backdoor a SOC will meet, because internet-facing servers are the most exposed. The attacker exploits a file-upload flaw or an unpatched application, drops a small script into the web root, and from then on sends commands as web traffic that blends into normal logs. The China Chopper web shell is the textbook example: a server payload under one kilobyte paired with a client that drives it. Web shells are noisy in one specific way, covered in detection below.

Trojans and remote access trojans (RATs). A trojan is malware disguised as something benign that opens a backdoor once it runs. A remote access trojan is the full-featured version: it gives the operator a remote control panel over the host, with file transfer, keylogging, screen capture, and a shell. RATs are the workhorse backdoor of commodity crime and espionage alike. They call out to attacker infrastructure rather than listening for inbound connections, which lets them work from inside a network that blocks unsolicited inbound traffic.

Rootkits and bootkit-installed backdoors. A rootkit hides a backdoor by tampering with the operating system so the implant does not appear in process lists, file listings, or network tables. A bootkit goes lower still, infecting the boot process or firmware so the backdoor loads before the operating system and its defenses do. These are the hardest to find and the hardest to remove, because the tools you would use to inspect the system are the tools being lied to.

Hardware and firmware backdoors. Some backdoors live below the software entirely: malicious logic in a chip, a tampered BIOS or UEFI image, or a modified network device firmware. They survive a full disk wipe and an OS reinstall because they are not on the disk. These are rarer and usually associated with high-end or supply-chain attacks, but they are the reason "we reimaged the machine" is not always the end of an incident.

Supply-chain implants. Instead of breaking into the target, the attacker compromises something the target trusts and installs, then lets the victim deploy the backdoor for them. SUNBURST is the defining case: the implant arrived inside a signed, legitimate software update. A poisoned open-source dependency, a tampered container image, or a compromised build pipeline does the same thing. Supply-chain backdoors defeat the assumption that signed and vendor-sourced equals safe.

Default and hardcoded credentials. The simplest backdoor is a known username and password baked into a device or application, undocumented and often unchangeable. Many IoT and networking devices ship with them. They are not malware, so antivirus never flags them, and they are why botnets like Mirai scaled the way they did: a list of default credentials is a master key to thousands of devices that all opened the same way.

How attackers install and use a backdoor

Installing a backdoor is rarely the first move. It is what an attacker does once they already have a foothold, to turn a one-time intrusion into persistence. The pattern is consistent across intrusions: get in, establish a way back, then operate.

The install step plants the access mechanism somewhere durable. On Windows that often means a new service, a scheduled task, a registry Run key, or a malicious DLL loaded by a legitimate process. On Linux it might be a cron job, a modified SSH configuration, an added authorized key, or a systemd unit. On a web server it is the dropped web shell. The goal is the same regardless of platform: survive a reboot, and ideally survive the credential changes and cleanup that follow detection.

Then the backdoor establishes a channel. Most modern backdoors beacon outbound to a command and control server rather than waiting for an inbound connection, because outbound traffic crosses firewalls that block inbound. The implant phones home on an interval, asks for instructions, and executes what it receives. Attackers tune the beacon to hide: long sleep intervals, jitter so the timing is not periodic, and protocols that look like normal traffic, HTTPS to a domain with a valid certificate, DNS queries, or traffic to a legitimate cloud service they have hijacked.

With the channel open, the backdoor is the attacker's anchor for everything that follows: pulling down more tools, harvesting credentials, and moving deeper into the network. The backdoor itself rarely does the damage. It is the stable platform the damage is launched from, which is exactly why finding and removing every instance matters more than cleaning up the payload that ran through it once.

How backdoors map to MITRE ATT&CK

ATT&CK is the common language for describing what a backdoor does, and a backdoor touches two tactics in particular.

Persistence (TA0003) is the tactic a backdoor exists to serve. ATT&CK defines persistence as the techniques adversaries use to keep access across restarts, changed credentials, and other interruptions. Specific techniques line up with the backdoor types above: web shells are T1505.003 (Server Software Component: Web Shell), a sub-technique under Persistence; scheduled tasks and services, new accounts, boot or logon autostart execution, and account manipulation are all persistence techniques a backdoor uses to anchor itself. A web shell, in ATT&CK's own words, lets an adversary backdoor a web server to establish persistent access.

Command and Control (TA0011) is the tactic the backdoor's channel falls under. ATT&CK defines C2 as the techniques adversaries use to communicate with systems they control, commonly mimicking normal traffic to avoid detection. The backdoor's beacon, its protocol choice, its use of web services or encrypted channels, all map here. Once you see a backdoor as a Persistence mechanism plus a command and control channel, the detection strategy follows directly: you are hunting for the anchor and for the phone-home.

Backdoors also feed later tactics. The access one provides is what enables Lateral Movement and the data theft of the Collection and Exfiltration tactics, but those are what the attacker does through the backdoor, not what the backdoor is.

Detecting a backdoor

Backdoors are built to be quiet, so detection is mostly about catching the few things they cannot hide. A backdoor has to persist somewhere, and it usually has to communicate. Both leave artifacts.

Anomalous outbound traffic. A beaconing backdoor produces a pattern: regular connections to the same external host, often at fixed intervals, frequently from a process that has no business making network connections. Hunt for periodic outbound sessions, traffic to newly registered or low-reputation domains, DNS with unusually high query volume or long subdomains, and beacons that persist after hours when the host should be idle. C2 traffic is where most live backdoors are found.

Unexpected listening ports and connections. Some backdoors listen for inbound connections instead of beaconing. Baseline what each host should be listening on, then alert on the deltas. A workstation listening on a high port it never used before, or an outbound connection from a process like a web server reaching back to the internet, is worth a look.

Web shell artifacts. Web shells leave file-system and log evidence. Watch for new or modified script files in web-accessible directories, especially ones created right after a request to a vulnerable endpoint. In logs, look for a web server process spawning a command interpreter (cmd.exe, powershell.exe, sh, bash) as a child process, which a normal web server almost never does. That parent-child relationship is one of the most reliable web shell tells.

Integrity monitoring. File integrity monitoring catches the backdoor that modifies a trusted file: a changed system binary, an added SSH authorized key, a new service registration, an altered web application file. For the deepest backdoors, rootkits and bootkits, integrity checks from outside the running system (offline disk analysis, boot measurement, comparing against known-good hashes) are the only reliable view, because anything running on a rootkitted host can be lied to.

Persistence enumeration. Hunt the autostart locations directly: services, scheduled tasks, registry Run keys, startup folders, cron, systemd units, and the WMI subscriptions attackers favor. Compare against a known-good baseline. A backdoor that survives reboots has to register somewhere on this list, and that list is finite.

Backdoor types and their detection signals

The type of backdoor determines where it hides, which determines where you look. This table maps each type to its tactic and its most reliable detection signal.

Preventing and responding to backdoors

Prevention is about shrinking the ways a backdoor can be installed and the places it can hide. Patch internet-facing systems fast, because exploited public services are how most web shells arrive. Remove default and hardcoded credentials, and inventory the devices that ship with them. Restrict who and what can write to web roots, autostart locations, and system directories. Control outbound traffic so a beacon cannot freely reach the internet, and log DNS and proxy traffic so the beacon that does get out is visible. For the supply chain, verify software provenance, but treat signed-and-trusted as a reason to monitor behavior, not a reason to skip it, because SUNBURST was both.

Response to a confirmed backdoor has one rule that drives everything: find every instance before you evict any. Attackers plant more than one. Pull a single web shell and the operator returns through the second one you missed, and now they know you are watching. Scope first: identify all persistence mechanisms, all C2 channels, every host that beaconed. Then evict everything at once, rotate the credentials the attacker could have taken, and rebuild rather than clean the hosts where a kernel or firmware backdoor is possible. The same persistence enumeration and C2 hunting used to detect a backdoor is what scopes the eviction, which is why those skills sit at the center of both detection and response.

The bottom line

A backdoor attack is the installation and use of hidden access that bypasses authentication. It is not the damage; it is the door the damage comes through, built to persist past reboots, password resets, and incident cleanup. The types run from web shells on exposed servers, to remote access trojans and rootkits, down to firmware and supply-chain implants that survive a full reinstall, and they differ mainly in how deep they sit and how hard they are to see.

In ATT&CK terms a backdoor is a Persistence mechanism plus a Command and Control channel, and that framing is also the detection plan: hunt the anchor and hunt the phone-home. The artifacts are finite even when the backdoor is quiet, autostart locations, beaconing traffic, web servers that spawn shells, modified trusted files. SUNBURST is the reminder that signed and vendor-sourced is not the same as safe, and that the rule of response is to find every instance before evicting any, because the attacker only ever needs the one you missed.