Managed Sentinel – Alert 117
| Alert ID | MS-A117 |
| Alert Name | Web shell script detection on a website |
| Description | Web shells are script that when uploaded to a web server can be used for remote administration. Attackers often use web shells to obtain unauthorized access, escalate //privilege as well as further compromise the environment. The query detects web shells that use GET requests by keyword searches in URL strings. |
| Severity Level | High |
| Threat Indicator | Compromised Host |
| MITRE ATT&CK Tactics | Execution Lateral Movement |
| Log sources | Web Traffic |
| False Positive | There could be some web sites like wikis with articles on os commands and pages that include the os //commands in the URLs that might cause FP. |
| Recommendations | 1. Remove script from the web site 2. Complete a full EDR scan on the web site 3. Perform an investigation in Azure Sentinel based on the logs from compromised web site systems to find any traffic to other corporate systems 4. If any substantials records are identified to correlate to an real attack against the web site, perform a full rebuild of the web site in order to clean any potential malware running on the web site host |