Managed Sentinel – Alert 117

Alert IDMS-A117
Alert NameWeb shell script detection on a website
DescriptionWeb shells are script that when uploaded to a web server can be used for remote administration. Attackers often use web shells to obtain unauthorized access, escalate //privilege as well as further compromise the environment. The query detects web shells that use GET requests by keyword searches in URL strings.
Severity LevelHigh
Threat IndicatorCompromised Host
MITRE ATT&CK TacticsExecution
Lateral Movement
Log sourcesWeb Traffic
False Positive There could be some web sites like wikis with articles on os commands and pages that include the os //commands in the URLs that might cause FP.
Recommendations1. Remove script from the web site
2. Complete a full EDR scan on the web site
3. Perform an investigation in Azure Sentinel based on the logs from compromised web site systems to find any traffic to other corporate systems
4. If any substantials records are identified to correlate to an real attack against the web site, perform a full rebuild of the web site in order to clean any potential malware running on the web site host