New Blog Post | Web Shell Threat Hunting with Azure Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-2236110%22%20slang%3D%22en-US%22%3ENew%20Blog%20Post%20%7C%20Web%20Shell%20Threat%20Hunting%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2236110%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22JasonCohen1892_0-1616701230610.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F267224i301BBE3018A4B6DA%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22JasonCohen1892_0-1616701230610.png%22%20alt%3D%22JasonCohen1892_0-1616701230610.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20SCXW114348115%20BCX8%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fweb-shell-threat-hunting-with-azure-sentinel%2Fba-p%2F2234968%22%20target%3D%22_blank%22%3EWeb%20Shell%20Threat%20Hunting%20with%20Azure%20Sentinel%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20SCXW114348115%20BCX8%22%3EIn%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ethis%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eblog%20post%20we%20will%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3Eprovide%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3EMicrosoft%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3EAzure%20Sentinel%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3Ecustomers%20with%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3Ehunting%20queries%20to%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3Einvestigate%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Epossible%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3Eon-premises%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3EExchange%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3ES%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3Eerver%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eexploitation%20and%20identify%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3Eadditional%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3Eattacker%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3EIOCs%20(Indicators%20of%20compromise)%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3Esuch%20as%20IP%20address%20and%20User%20Agent.%3CSPAN%3E%26nbsp%3BT%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3Ehese%20hunting%20techniques%20can%20also%20be%20applied%20to%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW114348115%20BCX8%22%3Eweb%20shell%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114348115%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Etechniques%20targeting%20other%20web%20applications.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

JasonCohen1892_0-1616701230610.png

Web Shell Threat Hunting with Azure Sentinel - Microsoft Tech Community

In this blog post we will provide Microsoft Azure Sentinel customers with hunting queries to investigate possible on-premises Exchange Server exploitation and identify additional attacker IOCs (Indicators of compromise) such as IP address and User Agent. These hunting techniques can also be applied to web shell techniques targeting other web applications. 

0 Replies