Threat Hunting step-by-step: Collecting Web Shells 🐚 using Ephemeral Baselines

Listen to this Post

In this article, we explore how to turn a KQL hunting query into a Defender detection rule to identify unusual web server processes using ephemeral baselines.

Key Concepts:

  1. Ephemeral Baselines: Create transient baselines that are powerful for detecting anomalies without the need for persistent storage.
  2. Hunting Hypothesis to Detection: Transform your hunting query into a detection rule by identifying low-prevalence process pairs that may indicate web shell activity.

Practical Implementation:

Here’s a sample KQL query to detect unusual web server processes:
[kql]
let baseline = materialize (
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ “w3wp.exe”
| summarize BaselineCount = count() by ProcessCommandLine
);
DeviceProcessEvents
| where Timestamp > ago(1h)
| where InitiatingProcessFileName =~ “w3wp.exe”
| join kind=leftouter (baseline) on ProcessCommandLine
| where BaselineCount < 10 or isnull(BaselineCount)
| project Timestamp, DeviceName, ProcessCommandLine, BaselineCount
[/kql]

**Defender Detection Rule:**

To create a Defender detection rule, use the following PowerShell command:

New-MpPreference -AttackSurfaceReductionRules_Ids <RuleID> -AttackSurfaceReductionRules_Actions Enabled

**What Undercode Say:**

Threat hunting is a critical skill in cybersecurity, and leveraging tools like KQL and Defender can significantly enhance your ability to detect malicious activities. Ephemeral baselines provide a dynamic way to identify anomalies without the overhead of maintaining persistent data. By combining statistical analysis with real-time monitoring, you can effectively detect web shells and other threats.

Here are some additional commands and tools to enhance your threat-hunting capabilities:

1. **Linux Command to Monitor Processes:**

ps aux | grep 'w3wp|httpd|apache2'

2. **Windows Command to List Running Processes:**

[cmd]
tasklist /svc
[/cmd]

3. **Splunk Query for Anomaly Detection:**

[spl]
index=main sourcetype=access_combined | stats count by src_ip, uri_path | where count < 5
[/spl]

4. **Python Script for Log Analysis:**

import pandas as pd
logs = pd.read_csv('web_logs.csv')
anomalies = logs[logs['process'].value_counts() < 10]
print(anomalies)

For further reading, check out the article: Threat Hunting step-by-step: Collecting Web Shells using Ephemeral Baselines.

By mastering these techniques and tools, you can stay ahead of cyber threats and protect your systems effectively.

References:

Hackers Feeds, Undercode AIFeatured Image