Listen to this Post
In this article, we explore how to turn a KQL hunting query into a Defender detection rule to identify unusual web server processes using ephemeral baselines.
Key Concepts:
- Ephemeral Baselines: Create transient baselines that are powerful for detecting anomalies without the need for persistent storage.
- Hunting Hypothesis to Detection: Transform your hunting query into a detection rule by identifying low-prevalence process pairs that may indicate web shell activity.
Practical Implementation:
Here’s a sample KQL query to detect unusual web server processes:
[kql]
let baseline = materialize (
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ “w3wp.exe”
| summarize BaselineCount = count() by ProcessCommandLine
);
DeviceProcessEvents
| where Timestamp > ago(1h)
| where InitiatingProcessFileName =~ “w3wp.exe”
| join kind=leftouter (baseline) on ProcessCommandLine
| where BaselineCount < 10 or isnull(BaselineCount)
| project Timestamp, DeviceName, ProcessCommandLine, BaselineCount
[/kql]
**Defender Detection Rule:**
To create a Defender detection rule, use the following PowerShell command:
New-MpPreference -AttackSurfaceReductionRules_Ids <RuleID> -AttackSurfaceReductionRules_Actions Enabled
**What Undercode Say:**
Threat hunting is a critical skill in cybersecurity, and leveraging tools like KQL and Defender can significantly enhance your ability to detect malicious activities. Ephemeral baselines provide a dynamic way to identify anomalies without the overhead of maintaining persistent data. By combining statistical analysis with real-time monitoring, you can effectively detect web shells and other threats.
Here are some additional commands and tools to enhance your threat-hunting capabilities:
1. **Linux Command to Monitor Processes:**
ps aux | grep 'w3wp|httpd|apache2'
2. **Windows Command to List Running Processes:**
[cmd]
tasklist /svc
[/cmd]
3. **Splunk Query for Anomaly Detection:**
[spl]
index=main sourcetype=access_combined | stats count by src_ip, uri_path | where count < 5
[/spl]
4. **Python Script for Log Analysis:**
import pandas as pd
logs = pd.read_csv('web_logs.csv')
anomalies = logs[logs['process'].value_counts() < 10]
print(anomalies)
For further reading, check out the article: Threat Hunting step-by-step: Collecting Web Shells using Ephemeral Baselines.
By mastering these techniques and tools, you can stay ahead of cyber threats and protect your systems effectively.
References:
Hackers Feeds, Undercode AI


