Adding `Webshell Detection`

Bert-JanP / Hunting-Queries-Detection-Rules

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

https://kqlquery.com

BSD 3-Clause "New" or "Revised" License

1.14k stars 213 forks source link

Adding `Webshell Detection` #22

Closed babakmhz closed 7 months ago

babakmhz commented 8 months ago

Hi! In this PR, I've added 2 hunting queries for MDE to hunt for webshells. feel free to leave a comment :)

Bert-JanP commented 8 months ago

Hi! Nice queries, however I cannot accept them to the repo since they are not self-written and bound to copyright of Microsoft. If they are used as base they can be accepted if custom content is added with reference.

babakmhz commented 7 months ago

@Bert-JanP Thanks for the comment, i've made the change to the previous queries as follows:

Merging 2 queries to be able to hunt for suspicious file executions and webshell command line executions
Adding support Linux machines to the query
Improving the query final results by extending additional fields

Bert-JanP commented 7 months ago

Awesome! Merged.

Bert-JanP commented 7 months ago

@babakmhz I have added credits to the readme and the file itself and some changes to be in line with the template.