Web Shells Threat Protection

Web Shells Threat Protection Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com/
Categories	domains
Version	3.0.4
Author	Microsoft - support@microsoft.com
First Published	2022-05-22
Solution Folder	Web Shells Threat Protection
Marketplace	Azure Marketplace · Popularity: 🟡 Low (46%)
Pre-requisites	Microsoft Defender XDR, Windows Security Events, Azure Web Application Firewall (WAF)

The Web Shells Threat Protection solution contains security content that helps proactive and reactive detection of Web Shells used by attackers. Web Shells are malicious scripts that attackers use to compromise internet facing servers. These are commonly used as a backdoor into the targeted web applications and servers. Microsoft Security Research has highlighted the threat, usage and detection of Web Shells in an enterprise environment in the following blogs:

For details on the required solutions, see the Pre-requisites section below.

Keywords: WebDAV, SysAid, Mercury, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, SUPERNOVA, SpringShell, CVE-2022-22965

Pre-requisites
Data Connectors
Tables Used
Content Items

Pre-requisites

This solution depends on 3 other solution(s):

Solution
Azure Web Application Firewall (WAF)
Microsoft Defender XDR
Windows Security Events

Data Connectors

This solution does not include its own data connectors but uses connectors from dependency solutions:

Microsoft Defender XDR (dependency on Microsoft Defender XDR)
Security Events via Legacy Agent (dependency on Windows Security Events)
Azure Web Application Firewall (WAF) (dependency on Azure Web Application Firewall (WAF))
Windows Security Events via AMA (dependency on Windows Security Events)

Tables Used

This solution queries 4 table(s) from its content items:

Table	Used By Content
`AzureDiagnostics`	Hunting
`DeviceFileEvents`	Analytics, Hunting
`SecurityEvent`	Analytics
`W3CIISLog`	Analytics, Hunting

Internal Tables

The following 1 table(s) are used internally by this solution's content items:

Table	Used By Content
`SecurityAlert`	Analytics

Content Items

This solution includes 9 content item(s):

Content Type	Count
Hunting Queries	6
Analytic Rules	3

Analytic Rules

Name	Severity	Tactics	Tables Used
Identify SysAid Server web shell creation	High	InitialAccess	`DeviceFileEvents` `SecurityEvent`
Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts	Medium	Persistence	`W3CIISLog` Internal use: `SecurityAlert`
SUPERNOVA webshell	High	Persistence, CommandAndControl	`W3CIISLog`

Hunting Queries

Name	Tactics	Tables Used
Exchange IIS Worker Dropping Webshells	Execution, Persistence	`DeviceFileEvents`
Possible Webshell usage attempt related to SpringShell(CVE-2022-22965)	Execution	`AzureDiagnostics`
Possible webshell drop	Initial access, Execution, Persistence	`DeviceFileEvents`
UMWorkerProcess Creating Webshell	Execution, Persistence, Exploit	`DeviceFileEvents`
Web Shell Activity	Persistence, InitialAccess	`W3CIISLog`
Webshell Detection	Persistence, PrivilegeEscalation	`W3CIISLog`

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.4	10-06-2024	Added missing AMA Data Connector reference in Analytic rules
3.0.3	12-04-2024	Updated Entity Mapping and Query of Analytic Rule Supernovawebshell.yaml and MaliciousAlertLinkedWebRequests.yaml
3.0.2	22-02-2024	Tagged for dependent Solutions for deployment
3.0.1	25-10-2023	Changes for rebranding from Microsoft 365 Defender to Microsoft Defender XDR
3.0.0	12-07-2023	Updated Hunting Queries descriptions to meet the 255 character limit.