Threat Hunting step-by-step: Collecting Web Shells 🐚 using Ephemeral Baselines

Turning a KQL hunting query into a Defender detection rule to spot unusual web server processes using simple statistics.

This is a quick follow-up on a previous article where I explored the topic of Baselines in more detail, consider checking it before this one.

Here, I highlight a simple yet very powerful technique to find potential web shells based on the low-prevalence of every successful attack scenario.

In the end, you will have a fully functional hunting and detection query.

With that in mind, let's start by defining a Hunting Hypothesis:

If an attacker exploits an internet-facing web server, the activity will generate unique traces in the logs, which can be identified through specific patterns or anomalies.

That's a very high-level one. What if we refine it a little bit? For instance, let's narrow it down to the following:

If an attacker successfully exploits a web server, the compromised process may spawn an unusual child process, which can be easily spotted when compared it to a…