A threat actor has identified the potential vulnerability of the web server of an organization and is building an attack. What will the threat actor possibly do to build an attack weapon?

1. Collect credentials of the web server developers and administrators: This can be a preparatory step to facilitate unauthorized access. With credentials, a threat actor could gain legitimate access to the system and potentially escalate privileges or make changes without immediately triggering security measures.
2. Install a webshell on the web server for persistent access: This is a common attack method where the attacker places a webshell—a malicious script that can be accessed via a web browser—on the compromised server. This allows the attacker to maintain access to the server and remotely execute commands.
3. Obtain an automated tool in order to deliver the malware payload through the vulnerability: Automated tools or exploit kits can be used to deliver a malware payload to a vulnerable server. These tools often include multiple exploits for different vulnerabilities and are designed to automate the process of finding and exploiting weaknesses.
4. Create a point of persistence by adding services: By adding new services or modifying existing ones, an attacker can ensure that they maintain access to the system even after the initial entry point is closed or the vulnerability is patched.

Obtain an automated tool in order to deliver the malware payload through the vulnerability.

This step is typically one of the first in the exploitation phase of an attack. Automated tools can exploit known vulnerabilities quickly and efficiently. Once the vulnerability is exploited and the attacker has gained entry into the system, they may then proceed to install web shells for persistent access or create points of persistence by adding services, and potentially collect credentials to further their access and control within the network.