{
	"id": "88153e52-1616-4472-94e9-f95558667968",
	"created_at": "2026-04-06T00:09:58.995403Z",
	"updated_at": "2026-04-10T03:35:48.419622Z",
	"deleted_at": null,
	"sha1_hash": "0343390059f5585b944142bdffadbd70dece631c",
	"title": "Web Shell Threat Hunting with Azure Sentinel",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 185736,
	"plain_text": "Web Shell Threat Hunting with Azure Sentinel\r\nBy TomMcElroy\r\nPublished: 2021-03-25 · Archived: 2026-04-05 22:35:08 UTC\r\n\"}},\"componentScriptGroups({\\\"componentId\\\":\\\"custom.widget.SocialSharing\\\"})\":\r\n{\"__typename\":\"ComponentScriptGroups\",\"scriptGroups\":\r\n{\"__typename\":\"ComponentScriptGroupsDefinition\",\"afterInteractive\":\r\n{\"__typename\":\"PageScriptGroupDefinition\",\"group\":\"AFTER_INTERACTIVE\",\"scriptIds\":[]},\"lazyOnLoad\":\r\n{\"__typename\":\"PageScriptGroupDefinition\",\"group\":\"LAZY_ON_LOAD\",\"scriptIds\":[]}},\"componentScripts\":\r\n[]},\"component({\\\"componentId\\\":\\\"custom.widget.MicrosoftFooter\\\"})\":\r\n{\"__typename\":\"Component\",\"render({\\\"context\\\":{\\\"component\\\":{\\\"entities\\\":[],\\\"props\\\":{}},\\\"page\\\":{\\\"entities\\\":\r\n[\\\"message:2234968\\\"],\\\"name\\\":\\\"BlogMessagePage\\\",\\\"props\\\":\r\n{},\\\"url\\\":\\\"https://techcommunity.microsoft.com/blog/microsoftsentinelblog/web-shell-threat-hunting-with-azure-sentinel/2234968\\\"}}})\":{\"__typename\":\"ComponentRenderResult\",\"html\":\"\r\n\"}},\"componentScriptGroups({\\\"componentId\\\":\\\"custom.widget.MicrosoftFooter\\\"})\":\r\n{\"__typename\":\"ComponentScriptGroups\",\"scriptGroups\":\r\n{\"__typename\":\"ComponentScriptGroupsDefinition\",\"afterInteractive\":\r\n{\"__typename\":\"PageScriptGroupDefinition\",\"group\":\"AFTER_INTERACTIVE\",\"scriptIds\":[]},\"lazyOnLoad\":\r\n{\"__typename\":\"PageScriptGroupDefinition\",\"group\":\"LAZY_ON_LOAD\",\"scriptIds\":[]}},\"componentScripts\":\r\n[]},\"cachedText({\\\"lastModified\\\":\\\"1775111751244\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/community/NavbarDropdownToggle\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1775111751244\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751244\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageCoverImage\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageCoverImage-1775111751244\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751244\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/nodes/NodeTitle\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/nodes/NodeTitle-1775111751244\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751244\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageTimeToRead\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageTimeToRead-1775111751244\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751244\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageSubject\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageSubject-1775111751244\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751244\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/users/UserLink\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/users/UserLink-1775111751244\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751244\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/users/UserRank\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/users/UserRank-1775111751244\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751244\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageTime\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageTime-1775111751244\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751244\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageBody\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageBody-1775111751244\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751244\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageCustomFields\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageCustomFields-1775111751244\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751244\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageRevision\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageRevision-1775111751244\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751244\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/common/QueryHandler\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1775111751244\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751244\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/tags/TagList\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/tags/TagList-1775111751244\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751244\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageReplyButton\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageReplyButton-1775111751244\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751244\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageAuthorBio\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageAuthorBio-1775111751244\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751244\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/users/UserAvatar\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 1 of 29\n\nshared/client/components/users/UserAvatar-1775111751244\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751244\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/ranks/UserRankLabel\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1775111751244\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751244\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/users/UserRegistrationDate\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/users/UserRegistrationDate-1775111751244\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751244\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/nodes/NodeAvatar\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1775111751244\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751244\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/nodes/NodeDescription\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1775111751244\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751244\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/nodes/NodeIcon\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1775111751244\"}]},\"Theme:customTheme1\":\r\n{\"__typename\":\"Theme\",\"id\":\"customTheme1\"},\"User:user:-1\":\r\n{\"__typename\":\"User\",\"id\":\"user:-1\",\"entityType\":\"USER\",\"eventPath\":\"community:gxcuf89792/user:-1\",\"uid\":-1,\"login\":\"Deleted\",\"email\":\"\",\"avatar\":\r\n{\"__typename\":\"RegistrationData\",\"status\":\"ANONYMOUS\",\"registrationTime\":null,\"confirmEmailStatus\":false,\"registrationAccessLevel\":\"VIEW\",\"ss\r\n[]},\"ssoId\":null,\"profileSettings\":{\"__typename\":\"ProfileSettings\",\"dateDisplayStyle\":\r\n{\"__typename\":\"InheritableStringSettingWithPossibleValues\",\"key\":\"layout.friendly_dates_enabled\",\"value\":\"false\",\"localValue\":\"true\",\"possibleValues\"\r\n[\"true\",\"false\"]},\"dateDisplayFormat\":\r\n{\"__typename\":\"InheritableStringSetting\",\"key\":\"layout.format_pattern_date\",\"value\":\"MMM dd yyyy\",\"localValue\":\"MM-dd-yyyy\"},\"language\":{\"__typename\":\"InheritableStringSettingWithPossibleValues\",\"key\":\"profile.language\",\"value\":\"en-US\",\"localValue\":null,\"possibleValues\":[\"en-US\",\"es-ES\"]},\"repliesSortOrder\":\r\n{\"__typename\":\"InheritableStringSettingWithPossibleValues\",\"key\":\"config.user_replies_sort_order\",\"value\":\"DEFAULT\",\"localValue\":\"DEFAULT\",\"po\r\n[\"DEFAULT\",\"LIKES\",\"PUBLISH_TIME\",\"REVERSE_PUBLISH_TIME\"]}},\"deleted\":false},\"CachedAsset:pages-1775111737663\":{\"__typename\":\"CachedAsset\",\"id\":\"pages-1775111737663\",\"value\":\r\n[{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"BlogViewAllPostsPage\",\"type\":\"BLOG\",\"urlPath\":\"/category/:categoryId/blog/:boardId/all-posts/(/:after|/:before)?\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"CasePortalPage\",\"type\":\"CASE_PORTAL\",\"urlPath\":\"/caseportal\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"CreateGroupHubPage\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/groups/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"CaseViewPage\",\"type\":\"CASE_DETAILS\",\"urlPath\":\"/case/:caseId/:caseNumber\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"InboxPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/inbox\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"HelpFAQPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/help\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"IdeaMessagePage\",\"type\":\"IDEA_POST\",\"urlPath\":\"/idea/:boardId/:messageSubject/:messageId\",\"__typename\":\"PageDescriptor\"},\"__typename\"\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"IdeaViewAllIdeasPage\",\"type\":\"IDEA\",\"urlPath\":\"/category/:categoryId/ideas/:boardId/all-ideas/(/:after|/:before)?\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"LoginPage\",\"type\":\"USER\",\"urlPath\":\"/signin\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"WorkstreamsPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/workstreams\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"BlogPostPage\",\"type\":\"BLOG\",\"urlPath\":\"/category/:categoryId/blogs/:boardId/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageRes\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"UserBlogPermissions.Page\",\"type\":\"COMMUNITY\",\"urlPath\":\"/c/user-blog-permissions/page\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"ThemeEditorPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/designer/themes\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"TkbViewAllArticlesPage\",\"type\":\"TKB\",\"urlPath\":\"/category/:categoryId/kb/:boardId/all-articles/(/:after|/:before)?\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1730819800000,\"localOverride\":null,\"page\":\r\n{\"id\":\"AllEvents\",\"type\":\"CUSTOM\",\"urlPath\":\"/Events\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"OccasionEditPage\",\"type\":\"EVENT\",\"urlPath\":\"/event/:boardId/:messageSubject/:messageId/edit\",\"__typename\":\"PageDescriptor\"},\"__typename\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 2 of 29\n\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"OAuthAuthorizationAllowPage\",\"type\":\"USER\",\"urlPath\":\"/auth/authorize/allow\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"PageEditorPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/designer/pages\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"PostPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/category/:categoryId/:boardId/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResou\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"CreateUserGroup.Page\",\"type\":\"COMMUNITY\",\"urlPath\":\"/c/create-user-group/page\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"ForumBoardPage\",\"type\":\"FORUM\",\"urlPath\":\"/category/:categoryId/discussions/:boardId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"Pag\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"TkbBoardPage\",\"type\":\"TKB\",\"urlPath\":\"/category/:categoryId/kb/:boardId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"EventPostPage\",\"type\":\"EVENT\",\"urlPath\":\"/category/:categoryId/events/:boardId/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageR\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"UserBadgesPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/users/:login/:userId/badges\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResourc\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"GroupHubMembershipAction\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/membership/join/:nodeId/:membershipType\",\"__typename\":\"PageDescriptor\"}\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"MaintenancePage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/maintenance\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"IdeaReplyPage\",\"type\":\"IDEA_REPLY\",\"urlPath\":\"/idea/:boardId/:messageSubject/:messageId/comments/:replyId\",\"__typename\":\"PageDescripto\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"UserSettingsPage\",\"type\":\"USER\",\"urlPath\":\"/mysettings/:userSettingsTab\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"GroupHubsPage\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/groups\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"ForumPostPage\",\"type\":\"FORUM\",\"urlPath\":\"/category/:categoryId/discussions/:boardId/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"OccasionRsvpActionPage\",\"type\":\"OCCASION\",\"urlPath\":\"/event/:boardId/:messageSubject/:messageId/rsvp/:responseType\",\"__typename\":\"Pag\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"VerifyUserEmailPage\",\"type\":\"USER\",\"urlPath\":\"/verifyemail/:userId/:verifyEmailToken\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageR\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"AllOccasionsPage\",\"type\":\"OCCASION\",\"urlPath\":\"/category/:categoryId/events/:boardId/all-events/(/:after|/:before)?\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"EventBoardPage\",\"type\":\"EVENT\",\"urlPath\":\"/category/:categoryId/events/:boardId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResou\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"TkbReplyPage\",\"type\":\"TKB_REPLY\",\"urlPath\":\"/kb/:boardId/:messageSubject/:messageId/comments/:replyId\",\"__typename\":\"PageDescriptor\"}\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"IdeaBoardPage\",\"type\":\"IDEA\",\"urlPath\":\"/category/:categoryId/ideas/:boardId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"CommunityGuideLinesPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/communityguidelines\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageR\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"CaseCreatePage\",\"type\":\"SALESFORCE_CASE_CREATION\",\"urlPath\":\"/caseportal/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"Pa\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"TkbEditPage\",\"type\":\"TKB\",\"urlPath\":\"/kb/:boardId/:messageSubject/:messageId/edit\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageRes\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"ForgotPasswordPage\",\"type\":\"USER\",\"urlPath\":\"/forgotpassword\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"IdeaEditPage\",\"type\":\"IDEA\",\"urlPath\":\"/idea/:boardId/:messageSubject/:messageId/edit\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageR\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"TagPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/tag/:tagName\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"BlogBoardPage\",\"type\":\"BLOG\",\"urlPath\":\"/category/:categoryId/blog/:boardId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"OccasionMessagePage\",\"type\":\"OCCASION_TOPIC\",\"urlPath\":\"/event/:boardId/:messageSubject/:messageId\",\"__typename\":\"PageDescriptor\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"ManageContentPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/managecontent\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"ClosedMembershipNodeNonMembersPage\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/closedgroup/:groupHubId\",\"__typename\":\"PageDescriptor\"},\"__t\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"CommunityPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 3 of 29\n\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"ForumMessagePage\",\"type\":\"FORUM_TOPIC\",\"urlPath\":\"/discussions/:boardId/:messageSubject/:messageId\",\"__typename\":\"PageDescriptor\"},\"\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"IdeaPostPage\",\"type\":\"IDEA\",\"urlPath\":\"/category/:categoryId/ideas/:boardId/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResou\r\n{\"lastUpdatedTime\":1730819800000,\"localOverride\":null,\"page\":\r\n{\"id\":\"CommunityHub.Page\",\"type\":\"CUSTOM\",\"urlPath\":\"/Directory\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"BlogMessagePage\",\"type\":\"BLOG_ARTICLE\",\"urlPath\":\"/blog/:boardId/:messageSubject/:messageId\",\"__typename\":\"PageDescriptor\"},\"__typen\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"RegistrationPage\",\"type\":\"USER\",\"urlPath\":\"/register\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"EditGroupHubPage\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/group/:groupHubId/edit\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"ForumEditPage\",\"type\":\"FORUM\",\"urlPath\":\"/discussions/:boardId/:messageSubject/:messageId/edit\",\"__typename\":\"PageDescriptor\"},\"__typena\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"ResetPasswordPage\",\"type\":\"USER\",\"urlPath\":\"/resetpassword/:userId/:resetPasswordToken\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"Pa\r\n{\"lastUpdatedTime\":1730819800000,\"localOverride\":null,\"page\":\r\n{\"id\":\"AllBlogs.Page\",\"type\":\"CUSTOM\",\"urlPath\":\"/blogs\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"TkbMessagePage\",\"type\":\"TKB_ARTICLE\",\"urlPath\":\"/kb/:boardId/:messageSubject/:messageId\",\"__typename\":\"PageDescriptor\"},\"__typename\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"BlogEditPage\",\"type\":\"BLOG\",\"urlPath\":\"/blog/:boardId/:messageSubject/:messageId/edit\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"Page\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"ManageUsersPage\",\"type\":\"USER\",\"urlPath\":\"/users/manage/:tab?/:manageUsersTab?\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageRes\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"ForumReplyPage\",\"type\":\"FORUM_REPLY\",\"urlPath\":\"/discussions/:boardId/:messageSubject/:messageId/replies/:replyId\",\"__typename\":\"PageD\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"PrivacyPolicyPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/privacypolicy\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"NotificationPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/notifications\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"UserPage\",\"type\":\"USER\",\"urlPath\":\"/users/:login/:userId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"HealthCheckPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/health\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"OccasionReplyPage\",\"type\":\"OCCASION_REPLY\",\"urlPath\":\"/event/:boardId/:messageSubject/:messageId/comments/:replyId\",\"__typename\":\"P\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"ManageMembersPage\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/group/:groupHubId/manage/:tab?\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"P\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"SearchResultsPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/search\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"BlogReplyPage\",\"type\":\"BLOG_REPLY\",\"urlPath\":\"/blog/:boardId/:messageSubject/:messageId/replies/:replyId\",\"__typename\":\"PageDescriptor\"\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"GroupHubPage\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/group/:groupHubId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"TermsOfServicePage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/termsofservice\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"CategoryPage\",\"type\":\"CATEGORY\",\"urlPath\":\"/category/:categoryId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"ForumViewAllTopicsPage\",\"type\":\"FORUM\",\"urlPath\":\"/category/:categoryId/discussions/:boardId/all-topics/(/:after|/:before)?\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"TkbPostPage\",\"type\":\"TKB\",\"urlPath\":\"/category/:categoryId/kbs/:boardId/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\r\n{\"lastUpdatedTime\":1775111737663,\"localOverride\":null,\"page\":\r\n{\"id\":\"GroupHubPostPage\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/group/:groupHubId/:boardId/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"Pa\r\ncomponents/context/AppContext/AppContextProvider-0\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/context/AppContext/AppContextProvider-0\",\"value\":{\"noCommunity\":\"Cannot find\r\ncommunity\",\"noUser\":\"Cannot find current user\",\"noNode\":\"Cannot find node with id {nodeId}\",\"noMessage\":\"Cannot\r\nfind message with id {messageId}\",\"userBanned\":\"We're sorry, but you have been banned from using this\r\nsite.\",\"userBannedReason\":\"You have been banned for the following reason:\r\n{reason}\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-0\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/common/Loading/LoadingDot-0\",\"value\":\r\n{\"title\":\"Loading...\"},\"localOverride\":false},\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/cmstNC05WEo0blc\\\"}\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 4 of 29\n\n{\"__typename\":\"AssociatedImage\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/cmstNC05WEo0blc\",\"height\":512,\"width\":512,\"\r\n{\"__typename\":\"Rank\",\"id\":\"rank:4\",\"position\":2,\"name\":\"Microsoft\",\"color\":\"333333\",\"icon\":{\"__ref\":\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/cmstNC05WEo0blc\\\"}\"},\"rankStyle\":\"OUTLINE\"},\"User:user:686380\":\r\n{\"__typename\":\"User\",\"id\":\"user:686380\",\"uid\":686380,\"login\":\"TomMcElroy\",\"deleted\":false,\"avatar\":\r\n{\"__typename\":\"UserAvatar\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/m_assets/avatars/default/avatar-10.svg?time=0\"},\"rank\":\r\n{\"__ref\":\"Rank:rank:4\"},\"email\":\"\",\"messagesCount\":7,\"biography\":null,\"topicsCount\":7,\"kudosReceivedCount\":29,\"kudosGivenCount\":1,\"kudosWeigh\r\n{\"__typename\":\"RegistrationData\",\"status\":null,\"registrationTime\":\"2020-06-02T02:44:33.267-\r\n07:00\",\"confirmEmailStatus\":null},\"followersCount\":null,\"solutionsCount\":0},\"Category:category:microsoft-sentinel\":\r\n{\"__typename\":\"Category\",\"id\":\"category:microsoft-sentinel\",\"entityType\":\"CATEGORY\",\"displayId\":\"microsoft-sentinel\",\"nodeType\":\"category\",\"depth\":4,\"title\":\"Microsoft Sentinel\",\"shortTitle\":\"Microsoft Sentinel\",\"parent\":\r\n{\"__ref\":\"Category:category:microsoft-security\"}},\"Category:category:top\":\r\n{\"__typename\":\"Category\",\"id\":\"category:top\",\"entityType\":\"CATEGORY\",\"displayId\":\"top\",\"nodeType\":\"category\",\"depth\":0,\"title\":\"Top\",\"shortTitle\"\r\n{\"__typename\":\"Category\",\"id\":\"category:communities\",\"entityType\":\"CATEGORY\",\"displayId\":\"communities\",\"nodeType\":\"category\",\"depth\":1,\"paren\r\n{\"__ref\":\"Category:category:top\"},\"title\":\"Communities\",\"shortTitle\":\"Communities\"},\"Category:category:products-services\":{\"__typename\":\"Category\",\"id\":\"category:products-services\",\"entityType\":\"CATEGORY\",\"displayId\":\"products-services\",\"nodeType\":\"category\",\"depth\":2,\"parent\":\r\n{\"__ref\":\"Category:category:communities\"},\"title\":\"Products\",\"shortTitle\":\"Products\"},\"Category:category:microsoft-security\":{\"__typename\":\"Category\",\"id\":\"category:microsoft-security\",\"entityType\":\"CATEGORY\",\"displayId\":\"microsoft-security\",\"nodeType\":\"category\",\"depth\":3,\"parent\":\r\n{\"__ref\":\"Category:category:products-services\"},\"title\":\"Microsoft Security\",\"shortTitle\":\"Microsoft\r\nSecurity\",\"categoryPolicies\":{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Blog:board:MicrosoftSentinelBlog\":\r\n{\"__typename\":\"Blog\",\"id\":\"board:MicrosoftSentinelBlog\",\"entityType\":\"BLOG\",\"displayId\":\"MicrosoftSentinelBlog\",\"nodeType\":\"board\",\"depth\":5,\"c\r\n{\"__typename\":\"RepliesProperties\",\"sortOrder\":\"REVERSE_PUBLISH_TIME\",\"repliesFormat\":\"threaded\"},\"tagProperties\":\r\n{\"__typename\":\"TagNodeProperties\",\"tagsEnabled\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}},\"requireTags\":false,\"tagType\":\"PRESET_ONLY\",\"description\":\"\r\nMicrosoft Sentinel is an industry-leading SIEM \u0026 AI-first platform powering agentic defense across the entire security\r\necosystem.\r\n\",\"title\":\"Microsoft Sentinel Blog\",\"shortTitle\":\"Microsoft Sentinel Blog\",\"parent\":{\"__ref\":\"Category:category:microsoft-sentinel\"},\"ancestors\":{\"__typename\":\"CoreNodeConnection\",\"edges\":[{\"__typename\":\"CoreNodeEdge\",\"node\":\r\n{\"__ref\":\"Community:community:gxcuf89792\"}},{\"__typename\":\"CoreNodeEdge\",\"node\":\r\n{\"__ref\":\"Category:category:communities\"}},{\"__typename\":\"CoreNodeEdge\",\"node\":\r\n{\"__ref\":\"Category:category:products-services\"}},{\"__typename\":\"CoreNodeEdge\",\"node\":\r\n{\"__ref\":\"Category:category:microsoft-security\"}},{\"__typename\":\"CoreNodeEdge\",\"node\":\r\n{\"__ref\":\"Category:category:microsoft-sentinel\"}}]},\"userContext\":\r\n{\"__typename\":\"NodeUserContext\",\"canAddAttachments\":false,\"canUpdateNode\":false,\"canPostMessages\":false,\"isSubscribed\":false},\"theme\":\r\n{\"__ref\":\"Theme:customTheme1\"},\"boardPolicies\":{\"__typename\":\"BoardPolicies\",\"canViewSpamDashBoard\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.feature.moderation_spam.action.access_spam_quarantine.allowed.accessDenied\",\"key\"\r\n[]}},\"canArchiveMessage\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.content_archivals.enable_content_archival_settings.accessDenied\",\"key\":\"error.lithium\r\n[]}},\"canPublishArticleOnCreate\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied\",\"key\":\"error.lit\r\n[]}}},\"linkProperties\":\r\n{\"__typename\":\"LinkProperties\",\"isExternalLinkWarningEnabled\":false}},\"BlogTopicMessage:message:2234968\":\r\n{\"__typename\":\"BlogTopicMessage\",\"uid\":2234968,\"subject\":\"Web Shell Threat Hunting with Azure\r\nSentinel\",\"id\":\"message:2234968\",\"entityType\":\"BLOG_ARTICLE\",\"eventPath\":\"category:microsoft-sentinel/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:MicrosoftSentinelBlog/message:2234968\",\"revisionNum\":6,\"repliesCount\":0,\"author\":\r\n{\"__ref\":\"User:user:686380\"},\"depth\":0,\"hasGivenKudo\":false,\"board\":\r\n{\"__ref\":\"Blog:board:MicrosoftSentinelBlog\"},\"conversation\":\r\n{\"__ref\":\"Conversation:conversation:2234968\"},\"messagePolicies\":\r\n{\"__typename\":\"MessagePolicies\",\"canPublishArticleOnEdit\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.forums.policy_can_publish_on_edit_workflow_action.accessDenied\",\"key\":\"error.lithi\r\n[]}},\"canModerateSpamMessage\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.feature.moderation_spam.action.moderate_entity.allowed.accessDenied\",\"key\":\"error.li\r\n[]}},\"canReply\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.forums.action.message.reply_to_entity.allow.accessDenied\",\"key\":\"error.lithium.polici\r\n[]}},\"canAcceptSolution\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.accepted_solutions.action_allow.message.mark_as_accepted_solution.accessDenied\",\"k\r\n[]}},\"canRejectSolution\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 5 of 29\n\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.accepted_solutions.action_allow.message.unmark_as_accepted_solution.accessDenied\"\r\n[]}},\"canTag\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.labels.action.labelableentity.set_labels.allow.accessDenied\",\"key\":\"error.lithium.policie\r\n[]}},\"canEdit\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.forums.action_allow.edit_message.accessDenied\",\"key\":\"error.lithium.policies.forums.\r\n[]}},\"canKudo\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.kudos.action.entity.give_kudos.allow.accessDenied\",\"key\":\"error.lithium.policies.kudo\r\n[]}}},\"contentWorkflow\":\r\n{\"__typename\":\"ContentWorkflow\",\"state\":\"PUBLISH\",\"scheduledPublishTime\":null,\"scheduledTimezone\":null,\"userContext\":\r\n{\"__typename\":\"MessageWorkflowContext\",\"canSubmitForReview\":null,\"canEdit\":false,\"canRecall\":null,\"canSubmitForPublication\":null,\"canReturnTo\r\n{\"__ref\":\"ModerationData:moderation_data:2234968\"},\"teaser\":\"\\n\r\nIn this blog post we will provide Microsoft Azure Sentinel customers with hunting queries to investigate possible on-prem Exchange Server exploitation and identify additional attacker IOCs (Indicators of compromise) such as IP address and\r\nUser Agent.\r\n\",\"body\":\"\r\nIn this blog post we will provide Microsoft Azure Sentinel customers with hunting queries to investigate possible on-premises Exchange Server exploitation and identify additional attacker IOCs (Indicators of compromise) such as IP address\r\nand User Agent. These hunting techniques can also be applied to web shell techniques targeting other web applications. \r\n\\n\\n\r\nThe techniques we discuss below have been adapted from the June 2020 blog post: Web shell threat hunting with Azure\r\nSentinel and Microsoft Threat Protection. The previous blog post analysed an attack against a\r\nSharePoint server, however, many of the techniques can also be applied to Exchange servers since it also uses IIS to host its\r\nweb interfaces. \r\n\\n\\n\r\nRecent vulnerabilities in on-premises Microsoft Exchange servers have led to deployment of web shells by threat\r\nactors. More information on these vulnerabilities can be found in this MSRC blog, details on threat actor HAFNIUM using\r\nthese vulnerabilities can be found in this MSTIC blog. MSRC has also provided guidance for responders, a one-click tool\r\nfor remediation and automatic remediation is delivered through Microsoft Defender for Endpoint. \r\n\\n\\n\r\nOur colleagues in Microsoft Defender Threat Intelligence have authored another blog that provides additional details on use\r\nof web shells in attacks taking advantage of the Exchange Server.  \r\n\\n\\n\r\nThe below diagram provides a high-level overview of an attacker leveraging these vulnerabilities to install a web shell on an\r\nExchange server. \r\n\\n\\n\\n\\n\\n\\n\r\nMicrosoft 365 Defender (M365D) detects web shell installation and execution activity. Security alerts and\r\nincidents generated by M365D can be written to the SecurityAlert table in Azure Sentinel by enabling the appropriate\r\nconnector. An example of a web shell installation alert in the Azure Sentinel SecurityAlert table can be seen below. \r\n\\n\\n\\n\\n\r\nThese alerts can be enriched in Azure Sentinel with new information from other log sources. When dealing\r\nwith remote attacks on web application servers, one of the best enrichment sources available are the web logs that have been\r\ngenerated. In the case that the application server is Microsoft Exchange the W3CIISLog can be used to enrich M365D alerts\r\nwith potential attacker information. Information on collecting IIS logs using the Log Analytics agent can be found here.\r\n\\n\\n\\n\r\nThe query below extracts alerts from M365D where a web script file has been observed as part of the alert. In the below\r\nexample, alerts containing ASP, ASPX, ASMX and ASAX files will be extracted; these are web script files commonly\r\nused by Exchange servers. \r\n\\n\\n\r\nAfter extracting relevant web shell alerts the query will join the alert information with the W3CIIS log, this allows the query\r\nto identify any clients that have accessed the potential shell file, allowing the potential attacker to be identified. A version of\r\nthe query below is already available as an Azure Sentinel detection and can be found here. \r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 6 of 29\n\n\\n\\n\r\nlet timeWindow = 3d; \\n//Script file extensions to match on, can be expanded for your environment \\nlet scriptExtensions\r\n\\n\\n\\n\\n\\n\r\nExchange servers can be challenging to identify in default log data; however using data available in W3CIISLog, Exchange\r\nservers can be identified using predictable URI strings without relying on the hostname or site name. \r\n\\n\\n\r\nThe query below extracts the host name from W3CIISLog where a known Exchange URI path is observed, this provides a\r\nlist of hostnames that are running Exchange. This list of host names can then be used to aggregate information from\r\nthe alerts in the SecurityAlert table. \r\n\\n\\n\r\nW3CIISLog \\n| where csUriStem has_any(\\\"/owa/auth/\\\", \\\"/ecp/healthcheck.htm\\\", \\\"/ews/exchange.asmx\\\") \\n| summarize by\r\n\\n\\n\\n\\n\\n\r\nThe results of the query provide insights into whether additional security alerts beyond web shell alerts have been observed\r\non the host. Following deployment of a web shell it’s highly likely the threat actor will begin to execute further commands\r\non the server, triggering additional alerts. In the above example three Exchange servers were observed with security alerts.  \r\n\\n\\n\r\nThis same technique can be used to locate other web applications within the network that use common or predictable web\r\npaths.\r\n\\n\\n\\n\r\nW3CIISLog provides detailed logging on actions performed on Microsoft Internet Information Servers (IIS). Even when\r\nan Endpoint detection alert is not available, it is possible to explore W3CIISLogs for indicators of compromise. W3CIISLog\r\ncan also provide additional insights into which hosts in the network are web application servers. \r\n\\n\\n\r\nNote: As part of the original Microsoft HAFNIUM blog post, several hunting and detection queries were created to search\r\nfor artefacts specific to the use of recent vulnerabilities.\r\n\\n\\n\\n\r\nIf the URI associated with the vulnerable file on the server is known, a query can be constructed to identify log entries that\r\nmatch the URI pattern. W3CIIS logging stores the URI in the column named “csUriStem”, the below query can be used to\r\nsearch for a specific URI in logs and provide information on which clients have accessed them. Local IP addresses have\r\nbeen removed. \r\n\\n\\n\r\nW3CIISLog \\n| where TimeGenerated \u003e ago(3d) \\n| where not(ipv4_is_private(cIP)) \\n//Insert potentially exploited URI here\r\n\\n\\n\\n\\n\\n\r\nFor HAFNIUM attacks observed by MSTIC an indicator feed has been made available (CSV, JSON). A detection\r\nquery, that will check for the presence of indicators in multiple data sources, has also been made available by the Azure\r\nSentinel team. The detection can be found here, and IOC’s released as feeds by MSTIC can be found in this directory. \r\n\\n\\n\r\nThe recent Exchange vulnerabilities do not need to be targeted at a specific file. Analysis of automated exploitation tools\r\nonline shows that many randomise the filenames used; this means that no legitimate user will visit these files as they do not\r\nexist on the server. As these filenames are randomly generated, static string matching cannot be used. \r\n\\n\\n\r\nThe Kusto “matches_regex” function can be used to perform regular expression matching on URI’s. The below example\r\nextracts events where the URI matches files associated with the exploitation of CVE-2021-27065 from W3CIISLog. \r\n\\n\\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 7 of 29\n\nW3CIISLog \\n| where TimeGenerated \u003e ago(3d) \\n| where not(ipv4_is_private(cIP)) \\n| where (csUriStem matches regex @\\\"\\\\/\r\n\\n\\n\\n\\n\\n\r\nThe previous queries can be limited when the files being exploited are commonly accessed. They would produce many\r\ncandidate attacker IP addresses, making analysis challenging. \r\n\\n\\n\r\nUsing the recent Exchange vulnerabilities as an example, Microsoft has seen malicious automated tools released publicly\r\nthat are being used to exploit the Exchange vulnerabilities. These tools are designed to only visit specific URIs on the server\r\nthat are required to perform the exploit. This activity differs from normal and legitimate Administrator or\r\nUser application browsing activity and if observed should be investigated. \r\n\\n\\n\r\nIt is possible to craft a query that uses basic statistical analysis to identify instances where a client has visited a\r\ndisproportionately high number of exploit-related URI’s when compared to other URIs on the site., The query below\r\ncalculates the total number of suspicious URIs that have been visited by each user, it then calculates the total number of\r\nURIs visited by the user. Where the number of exploit related URIs is a significant proportion of URIs visited, a result is\r\nreturned. By default, the query requires over 90% of the URIs visited by the user to be suspicious. \r\n\\n\\n\r\nlet timeRange = 7d;\\n//Calculate number of suspicious URI stems visited by user \\nW3CIISLog\\n| where TimeGenerated \u003e ago(\r\n\\n\\n\\n\r\nWhile this query is designed to detect recent Exchange exploit activity, it can be easily adapted to other exploit chains if the\r\npages or URIs used are known. \r\n\\n\\n\\n\r\nA previously published hunting query  can be used to detect instances where resources on a server are requested by a single\r\nclient – a behaviour that should be investigated in the context of web shell exploits. After the\r\nactor creates web shell on the server, it’s likely that they will be the only user to access the file to complete their intended\r\nobjective.  \r\n\\n\\n\\n\r\nIn the previous blog post covering SharePoint exploitation, a Jupyter Notebook Guided Investigation is provided. This\r\nnotebook can also be used to investigate on-prem Exchange compromises within your environment. \r\n\\n\\n\r\nThe notebook extracts alerts from Microsoft 365 Defender related to web shell activity, these can then be enriched with\r\ninformation from W3CIIS to identify the attacker IP and User Agent. The attackers IP and User Agent can be used to hunt\r\nthrough multiple log sources for potential post-compromise activity. \r\n\\n\\n\r\nAfter the attacker details have been identified, the notebook can be used to locate files that were accessed by the attacker\r\nprior to the web shell being installed. The notebook will also locate the first instance that the attacker visited the server. \r\n\\n\\n\r\nAzure-Sentinel-Notebooks/Guided Investigation - MDE Webshell Alerts.ipynb at master · Azure/Azure-Sentinel-Notebooks\r\n(github.com) \r\n\\n\\n\r\nInstructions for getting the notebook up and running can be found in the original blog post, under the title “Building out the\r\nInvestigation using Jupyter Notebooks”. \r\n\\n\\n\r\nYou can stay up to date with the latest information at https://aka.ms/exchangevulns. \r\n\",\"body@stringLength\":\"43412\",\"rawBody\":\"\r\nIn this blog post we will provide Microsoft Azure Sentinel customers with hunting queries to investigate possible on-premises Exchange Server exploitation and identify additional attacker IOCs (Indicators of compromise) such as IP address\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 8 of 29\n\nand User Agent. These hunting techniques can also be applied to web shell techniques targeting other web applications. \r\n\\n\\n\r\nThe techniques we discuss below have been adapted from the June 2020 blog post: Web shell threat hunting with Azure\r\nSentinel and Microsoft Threat Protection. The previous blog post analysed an attack against a\r\nSharePoint server, however, many of the techniques can also be applied to Exchange servers since it also uses IIS to host its\r\nweb interfaces. \r\n\\n\\n\r\nRecent vulnerabilities in on-premises Microsoft Exchange servers have led to deployment of web shells by threat\r\nactors. More information on these vulnerabilities can be found in this MSRC blog, details on threat actor HAFNIUM using\r\nthese vulnerabilities can be found in this MSTIC blog. MSRC has also provided guidance for responders, a one-click tool\r\nfor remediation and automatic remediation is delivered through Microsoft Defender for Endpoint. \r\n\\n\\n\r\nOur colleagues in Microsoft Defender Threat Intelligence have authored another blog that provides additional details on use\r\nof web shells in attacks taking advantage of the Exchange Server.  \r\n\\n\\n\r\nThe below diagram provides a high-level overview of an attacker leveraging these vulnerabilities to install a web shell on an\r\nExchange server. \r\n\\n\\n\\n\\n\\n\r\nInvestigating web shell alerts \r\n\\n\r\nMicrosoft 365 Defender (M365D) detects web shell installation and execution activity. Security alerts and\r\nincidents generated by M365D can be written to the SecurityAlert table in Azure Sentinel by enabling the appropriate\r\nconnector. An example of a web shell installation alert in the Azure Sentinel SecurityAlert table can be seen below. \r\n\\n\\n\\n\\n\r\nThese alerts can be enriched in Azure Sentinel with new information from other log sources. When dealing\r\nwith remote attacks on web application servers, one of the best enrichment sources available are the web logs that have been\r\ngenerated. In the case that the application server is Microsoft Exchange the W3CIISLog can be used to enrich M365D alerts\r\nwith potential attacker information. Information on collecting IIS logs using the Log Analytics agent can be found here.\r\n\\n\\n\r\nIdentifying the Attacker IP address from Microsoft 365 Defender alerts \r\n\\n\r\nThe query below extracts alerts from M365D where a web script file has been observed as part of the alert. In the below\r\nexample, alerts containing ASP, ASPX, ASMX and ASAX files will be extracted; these are web script files commonly\r\nused by Exchange servers. \r\n\\n\\n\r\nAfter extracting relevant web shell alerts the query will join the alert information with the W3CIIS log, this allows the query\r\nto identify any clients that have accessed the potential shell file, allowing the potential attacker to be identified. A version of\r\nthe query below is already available as an Azure Sentinel detection and can be found here. \r\n\\n\\nlet timeWindow = 3d; \\n//Script file extensions to match on, can be expanded for your environment \\nlet\r\nscriptExtensions = dynamic([\\\".asp\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\"]); \\nSecurityAlert \\n| where TimeGenerated \u003e\r\nago(timeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n//Parse and expand the alert JSON \\n| extend alertData =\r\nparse_json(Entities) \\n| mvexpand alertData \\n| where alertData.Type == \\\"file\\\" \\n//This can be expanded to include more\r\nfile types \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory =\r\ntostring(alertData.Directory) \\n| project TimeGenerated, FileName, Directory \\n| join ( \\nW3CIISLog \\n| where\r\nTimeGenerated \u003e ago(timeWindow) \\n| where csUriStem has_any(scriptExtensions) \\n| extend splitUriStem =\r\nsplit(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1] \\n| summarize StartTime=min(TimeGenerated),\r\nEndTime=max(TimeGenerated) by AttackerIP=cIP, AttackerUserAgent=csUserAgent, SiteName=sSiteName,\r\nShellLocation=csUriStem, tostring(FileName) \\n) on FileName \\n| project StartTime, EndTime, AttackerIP,\r\nAttackerUserAgent, SiteName, ShellLocation \\n\\n\\n\\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 9 of 29\n\nIdentifying Exchange Servers \u0026 Associated Security Alerts \r\n\\n\r\nExchange servers can be challenging to identify in default log data; however using data available in W3CIISLog, Exchange\r\nservers can be identified using predictable URI strings without relying on the hostname or site name. \r\n\\n\\n\r\nThe query below extracts the host name from W3CIISLog where a known Exchange URI path is observed, this provides a\r\nlist of hostnames that are running Exchange. This list of host names can then be used to aggregate information from\r\nthe alerts in the SecurityAlert table. \r\n\\n\\nW3CIISLog \\n| where csUriStem has_any(\\\"/owa/auth/\\\", \\\"/ecp/healthcheck.htm\\\", \\\"/ews/exchange.asmx\\\") \\n|\r\nsummarize by computer=tolower(Computer) \\n| join kind=leftouter ( \\nSecurityAlert \\n| extend alertData =\r\nparse_json(Entities) \\n| mvexpand alertData \\n| where alertData.Type == \\\"host\\\" \\n| extend computer =\r\niff(isnotempty(alertData.DnsDomain), tolower(strcat(tostring(alertData.HostName), \\\".\\\" ,\r\ntostring(alertData.DnsDomain))),tolower(tostring(alertData.HostName))) \\n| summarize Alerts=dcount(SystemAlertId),\r\nAlertTimes=make_list(TimeGenerated), AlertNames=make_list(AlertName) by computer \\n) on computer \\n| project\r\nExchangeServer=computer, Alerts, AlertTimes, AlertNames \\n\\n\\n\\n\\n\r\nThe results of the query provide insights into whether additional security alerts beyond web shell alerts have been observed\r\non the host. Following deployment of a web shell it’s highly likely the threat actor will begin to execute further commands\r\non the server, triggering additional alerts. In the above example three Exchange servers were observed with security alerts.  \r\n\\n\\n\r\nThis same technique can be used to locate other web applications within the network that use common or predictable web\r\npaths.\r\n\\n\\n\r\nW3CIISLog Analysis \r\n\\n\r\nW3CIISLog provides detailed logging on actions performed on Microsoft Internet Information Servers (IIS). Even when\r\nan Endpoint detection alert is not available, it is possible to explore W3CIISLogs for indicators of compromise. W3CIISLog\r\ncan also provide additional insights into which hosts in the network are web application servers. \r\n\\n\\n\r\nNote: As part of the original Microsoft HAFNIUM blog post, several hunting and detection queries were created to search\r\nfor artefacts specific to the use of recent vulnerabilities.\r\n\\n\\n\r\nIdentifying generic exploitation activity \r\n\\n\r\nIf the URI associated with the vulnerable file on the server is known, a query can be constructed to identify log entries that\r\nmatch the URI pattern. W3CIIS logging stores the URI in the column named “csUriStem”, the below query can be used to\r\nsearch for a specific URI in logs and provide information on which clients have accessed them. Local IP addresses have\r\nbeen removed. \r\n\\n\\nW3CIISLog \\n| where TimeGenerated \u003e ago(3d) \\n| where not(ipv4_is_private(cIP)) \\n//Insert potentially exploited URI\r\nhere \\n| where csUriStem =~ \\\"/owa/auth/x.js\\\" \\n| project TimeGenerated, sSiteName, csMethod, csUriStem, sPort, cIP,\r\ncsUserAgent \\n\\n\\n\\n\\n\r\nFor HAFNIUM attacks observed by MSTIC an indicator feed has been made available (CSV, JSON). A detection\r\nquery, that will check for the presence of indicators in multiple data sources, has also been made available by the Azure\r\nSentinel team. The detection can be found here, and IOC’s released as feeds by MSTIC can be found in this directory. \r\n\\n\\n\r\nThe recent Exchange vulnerabilities do not need to be targeted at a specific file. Analysis of automated exploitation tools\r\nonline shows that many randomise the filenames used; this means that no legitimate user will visit these files as they do not\r\nexist on the server. As these filenames are randomly generated, static string matching cannot be used. \r\n\\n\\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 10 of 29\n\nThe Kusto “matches_regex” function can be used to perform regular expression matching on URI’s. The below example\r\nextracts events where the URI matches files associated with the exploitation of CVE-2021-27065 from W3CIISLog. \r\n\\n\\nW3CIISLog \\n| where TimeGenerated \u003e ago(3d) \\n| where not(ipv4_is_private(cIP)) \\n| where (csUriStem matches\r\nregex @\\\"\\\\/owa\\\\/auth\\\\/[A-Za-z0-9]{1,30}\\\\.js\\\") or (csUriStem matches regex @\\\"\\\\/ecp\\\\/[A-Za-z0-9]{1,30}\\\\.\r\n(js|flt|css)\\\") \\n| project TimeGenerated, sSiteName, csMethod, csUriStem, sPort, cIP, csUserAgent\\n\\n\\n\\n\\n\r\nThe previous queries can be limited when the files being exploited are commonly accessed. They would produce many\r\ncandidate attacker IP addresses, making analysis challenging. \r\n\\n\\n\r\nUsing the recent Exchange vulnerabilities as an example, Microsoft has seen malicious automated tools released publicly\r\nthat are being used to exploit the Exchange vulnerabilities. These tools are designed to only visit specific URIs on the server\r\nthat are required to perform the exploit. This activity differs from normal and legitimate Administrator or\r\nUser application browsing activity and if observed should be investigated. \r\n\\n\\n\r\nIt is possible to craft a query that uses basic statistical analysis to identify instances where a client has visited a\r\ndisproportionately high number of exploit-related URI’s when compared to other URIs on the site., The query below\r\ncalculates the total number of suspicious URIs that have been visited by each user, it then calculates the total number of\r\nURIs visited by the user. Where the number of exploit related URIs is a significant proportion of URIs visited, a result is\r\nreturned. By default, the query requires over 90% of the URIs visited by the user to be suspicious. \r\n\\n\\nlet timeRange = 7d;\\n//Calculate number of suspicious URI stems visited by user \\nW3CIISLog\\n| where\r\nTimeGenerated \u003e ago(timeRange)\\n| where not(ipv4_is_private(cIP)) \\n| where (csUriStem matches regex\r\n@\\\"\\\\/owa\\\\/auth\\\\/[A-Za-z0-9]{1,30}\\\\.js\\\") or (csUriStem matches regex @\\\"\\\\/ecp\\\\/[A-Za-z0-9]{1,30}\\\\.(js|flt|css)\\\") or\r\n(csUriStem =~ \\\"/ews/exchange.asmx\\\") \\n| extend userHash = hash_md5(strcat(cIP, csUserAgent)) \\n| summarize\r\nsusCount=dcount(csUriStem), make_list(csUriStem), min(TimeGenerated), max(TimeGenerated) by userHash, cIP,\r\ncsUserAgent \\n| join kind=leftouter ( \\n//Calculate unique URI stems visited by each user \\nW3CIISLog \\n| where\r\nTimeGenerated \u003e ago(timeRange) \\n| where not(ipv4_is_private(cIP))\\n| extend userHash = hash_md5(strcat(cIP,\r\ncsUserAgent)) \\n| summarize allCount=dcount(csUriStem) by userHash \\n) on userHash \\n//Find instances where only a\r\ncommon endpoint was seen \\n| extend containsDefault = iff(list_csUriStem contains \\\"/ews/exchange.asmx\\\", 1, 0) \\n//If we\r\nonly see the common endpoint and nothing else dump it \\n| extend result = iff(containsDefault == 1,\r\ncontainsDefault+susCount, 0) \\n| where result != 2 \\n| extend susPercentage = susCount / allCount * 100 \\n| where\r\nsusPercentage \u003e 90 \\n| project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, AttackerIP=cIP,\r\nAttackerUA=csUserAgent, URIsVisited=list_csUriStem, suspiciousPercentage=susPercentage, allUriCount=allCount,\r\nsuspiciousUriCount=susCount\\n\\n\\n\r\nWhile this query is designed to detect recent Exchange exploit activity, it can be easily adapted to other exploit chains if the\r\npages or URIs used are known. \r\n\\n\\n\r\nRare Client File Access \r\n\\n\r\nA previously published hunting query  can be used to detect instances where resources on a server are requested by a single\r\nclient – a behaviour that should be investigated in the context of web shell exploits. After the\r\nactor creates web shell on the server, it’s likely that they will be the only user to access the file to complete their intended\r\nobjective.  \r\n\\n\\n\r\nInvestigating the Attacker \r\n\\n\r\nIn the previous blog post covering SharePoint exploitation, a Jupyter Notebook Guided Investigation is provided. This\r\nnotebook can also be used to investigate on-prem Exchange compromises within your environment. \r\n\\n\\n\r\nThe notebook extracts alerts from Microsoft 365 Defender related to web shell activity, these can then be enriched with\r\ninformation from W3CIIS to identify the attacker IP and User Agent. The attackers IP and User Agent can be used to hunt\r\nthrough multiple log sources for potential post-compromise activity. \r\n\\n\\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 11 of 29\n\nAfter the attacker details have been identified, the notebook can be used to locate files that were accessed by the attacker\r\nprior to the web shell being installed. The notebook will also locate the first instance that the attacker visited the server. \r\n\\n\\n\r\nAzure-Sentinel-Notebooks/Guided Investigation - MDE Webshell Alerts.ipynb at master · Azure/Azure-Sentinel-Notebooks\r\n(github.com) \r\n\\n\\n\r\nInstructions for getting the notebook up and running can be found in the original blog post, under the title “Building out the\r\nInvestigation using Jupyter Notebooks”. \r\n\\n\\n\r\nYou can stay up to date with the latest information at https://aka.ms/exchangevulns. \r\n\",\"kudosSumWeight\":2,\"postTime\":\"2021-03-25T12:00:35.634-07:00\",\"images\":\r\n{\"__typename\":\"AssociatedImageConnection\",\"edges\":\r\n[{\"__typename\":\"AssociatedImageEdge\",\"cursor\":\"MjYuMXwyLjF8b3wyNXxfTlZffDE\",\"node\":\r\n{\"__ref\":\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2NzAwNmlFNkRFNUU1MTY2NzBDRDM1?\r\nrevision=6\\\"}\"}},{\"__typename\":\"AssociatedImageEdge\",\"cursor\":\"MjYuMXwyLjF8b3wyNXxfTlZffDI\",\"node\":\r\n{\"__ref\":\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk2OGk4QTlCNTM2RUJGRjEwREEw?\r\nrevision=6\\\"}\"}},{\"__typename\":\"AssociatedImageEdge\",\"cursor\":\"MjYuMXwyLjF8b3wyNXxfTlZffDM\",\"node\":\r\n{\"__ref\":\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk4OWk2QUYxMzA3QUM3RTIwOEU0?\r\nrevision=6\\\"}\"}},{\"__typename\":\"AssociatedImageEdge\",\"cursor\":\"MjYuMXwyLjF8b3wyNXxfTlZffDQ\",\"node\":\r\n{\"__ref\":\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk3M2k2NUI4NzlBNzBGQjc2QkI3?\r\nrevision=6\\\"}\"}},{\"__typename\":\"AssociatedImageEdge\",\"cursor\":\"MjYuMXwyLjF8b3wyNXxfTlZffDU\",\"node\":\r\n{\"__ref\":\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk4NGlGNTRDQjAxMjI2ODkyN0U1?\r\nrevision=6\\\"}\"}},{\"__typename\":\"AssociatedImageEdge\",\"cursor\":\"MjYuMXwyLjF8b3wyNXxfTlZffDY\",\"node\":\r\n{\"__ref\":\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk4NWkzRDlCMTk0MDA0RjFEMjIz?\r\nrevision=6\\\"}\"}}],\"totalCount\":6,\"pageInfo\":\r\n{\"__typename\":\"PageInfo\",\"hasNextPage\":false,\"endCursor\":null,\"hasPreviousPage\":false,\"startCursor\":null}},\"attachments\":\r\n{\"__typename\":\"AttachmentConnection\",\"pageInfo\":\r\n{\"__typename\":\"PageInfo\",\"hasNextPage\":false,\"endCursor\":null,\"hasPreviousPage\":false,\"startCursor\":null},\"edges\":\r\n[]},\"tags\":{\"__typename\":\"TagConnection\",\"pageInfo\":\r\n{\"__typename\":\"PageInfo\",\"hasNextPage\":false,\"endCursor\":null,\"hasPreviousPage\":false,\"startCursor\":null},\"edges\":\r\n[]},\"timeToRead\":8,\"rawTeaser\":\"\\n\r\nIn this blog post we will provide Microsoft Azure Sentinel customers with hunting queries to investigate possible on-prem Exchange Server exploitation and identify additional attacker IOCs (Indicators of compromise) such as IP address and\r\nUser Agent.\r\n\",\"introduction\":\"\",\"coverImage\":null,\"coverImageProperties\":\r\n{\"__typename\":\"CoverImageProperties\",\"style\":\"STANDARD\",\"titlePosition\":\"BOTTOM\",\"altText\":\"\"},\"currentRevision\":\r\n{\"__ref\":\"Revision:revision:2234968_6\"},\"latestVersion\":\r\n{\"__typename\":\"FriendlyVersion\",\"major\":\"1\",\"minor\":\"0\"},\"metrics\":\r\n{\"__typename\":\"MessageMetrics\",\"views\":36231},\"read\":false,\"visibilityScope\":\"PUBLIC\",\"canonicalUrl\":null,\"seoTitle\":null,\"seoDescription\":null,\"pl\r\n{\"__typename\":\"UserConnection\",\"edges\":[]},\"nonCoAuthorContributors\":{\"__typename\":\"UserConnection\",\"edges\":\r\n[]},\"coAuthors\":{\"__typename\":\"UserConnection\",\"edges\":[]},\"blogMessagePolicies\":\r\n{\"__typename\":\"BlogMessagePolicies\",\"canDoAuthoringActionsOnBlog\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.blog.action_can_do_authoring_action.accessDenied\",\"key\":\"error.lithium.policies.blog\r\n[]}}},\"archivalData\":null,\"customFields\":[],\"revisions({\\\"constraints\\\":{\\\"isPublished\\\":{\\\"eq\\\":true}}})\":\r\n{\"__typename\":\"RevisionConnection\",\"totalCount\":6}},\"Conversation:conversation:2234968\":\r\n{\"__typename\":\"Conversation\",\"id\":\"conversation:2234968\",\"solved\":false,\"topic\":\r\n{\"__ref\":\"BlogTopicMessage:message:2234968\"},\"lastPostingActivityTime\":\"2021-03-25T12:00:35.634-\r\n07:00\",\"lastPostTime\":\"2021-03-25T12:00:35.634-\r\n07:00\",\"unreadReplyCount\":0,\"isSubscribed\":false},\"ModerationData:moderation_data:2234968\":\r\n{\"__typename\":\"ModerationData\",\"id\":\"moderation_data:2234968\",\"status\":\"APPROVED\",\"rejectReason\":null,\"isReportedAbuse\":false,\"rejectUser\":nu\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2NzAwNmlFNkRFNUU1MTY2NzBDRDM1?\r\nrevision=6\\\"}\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 12 of 29\n\n{\"__typename\":\"AssociatedImage\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2NzAwNmlFNkRFNUU1M\r\nrevision=6\",\"title\":\"deaf23e9-a7b4-4ae9-b791-\r\n27fbcf19c6bc.jpg\",\"associationType\":\"TEASER\",\"width\":600,\"height\":353,\"altText\":null},\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk2OGk4QTlCNTM2RUJGRjEwREEw?\r\nrevision=6\\\"}\":\r\n{\"__typename\":\"AssociatedImage\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk2OGk4QTlCNTM2RU\r\nrevision=6\",\"title\":\"diagram_2.PNG\",\"associationType\":\"BODY\",\"width\":1086,\"height\":550,\"altText\":null},\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk4OWk2QUYxMzA3QUM3RTIwOEU0?\r\nrevision=6\\\"}\":\r\n{\"__typename\":\"AssociatedImage\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk4OWk2QUYxMzA3Q\r\nrevision=6\",\"title\":\"Capture3.PNG\",\"associationType\":\"BODY\",\"width\":647,\"height\":359,\"altText\":null},\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk3M2k2NUI4NzlBNzBGQjc2QkI3?\r\nrevision=6\\\"}\":\r\n{\"__typename\":\"AssociatedImage\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk3M2k2NUI4NzlBNzB\r\nrevision=6\",\"title\":\"Capture.PNG\",\"associationType\":\"BODY\",\"width\":848,\"height\":162,\"altText\":null},\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk4NGlGNTRDQjAxMjI2ODkyN0U1?\r\nrevision=6\\\"}\":\r\n{\"__typename\":\"AssociatedImage\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk4NGlGNTRDQjAxMj\r\nrevision=6\",\"title\":\"Capture2.PNG\",\"associationType\":\"BODY\",\"width\":983,\"height\":107,\"altText\":null},\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk4NWkzRDlCMTk0MDA0RjFEMjIz?\r\nrevision=6\\\"}\":\r\n{\"__typename\":\"AssociatedImage\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk4NWkzRDlCMTk0M\r\nrevision=6\",\"title\":\"Capture2.PNG\",\"associationType\":\"BODY\",\"width\":983,\"height\":107,\"altText\":null},\"Revision:revision:2234968_6\":\r\n{\"__typename\":\"Revision\",\"id\":\"revision:2234968_6\",\"lastEditTime\":\"2021-03-25T07:15:41.255-\r\n07:00\"},\"CachedAsset:theme:customTheme1-1775108359968\":{\"__typename\":\"CachedAsset\",\"id\":\"theme:customTheme1-\r\n1775108359968\",\"value\":{\"id\":\"customTheme1\",\"animation\":\r\n{\"fast\":\"150ms\",\"normal\":\"250ms\",\"slow\":\"500ms\",\"slowest\":\"750ms\",\"function\":\"cubic-bezier(0.07, 0.91, 0.51,\r\n1)\",\"__typename\":\"AnimationThemeSettings\"},\"avatar\":{\"borderRadius\":\"50%\",\"collections\":\r\n[\"default\"],\"__typename\":\"AvatarThemeSettings\"},\"basics\":{\"browserIcon\":{\"imageAssetName\":\"favicon-1730836283320.png\",\"imageLastModified\":\"1730836286415\",\"__typename\":\"ThemeAsset\"},\"customerLogo\":\r\n{\"imageAssetName\":\"favicon-1730836271365.png\",\"imageLastModified\":\"1730836274203\",\"__typename\":\"ThemeAsset\"},\"maximumWidthOfPageContent\":\"1300px\",\"oneColumnN\r\n{\"borderRadiusSm\":\"3px\",\"borderRadius\":\"3px\",\"borderRadiusLg\":\"5px\",\"paddingY\":\"5px\",\"paddingYLg\":\"7px\",\"paddingYHero\":\"var(-\r\n-lia-bs-btn-padding-y-lg)\",\"paddingX\":\"12px\",\"paddingXLg\":\"16px\",\"paddingXHero\":\"60px\",\"fontStyle\":\"NORMAL\",\"fontWeight\":\"700\",\"textTransform\":\"NONE\",\"disabled\r\n-lia-bs-white)\",\"primaryTextHoverColor\":\"var(--lia-bs-white)\",\"primaryTextActiveColor\":\"var(--lia-bs-white)\",\"primaryBgColor\":\"var(--lia-bs-primary)\",\"primaryBgHoverColor\":\"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.85))\",\"primaryBgActiveColor\":\"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.7))\",\"primaryBorder\":\"1px solid transparent\",\"primaryBorderHover\":\"1px solid\r\ntransparent\",\"primaryBorderActive\":\"1px solid transparent\",\"primaryBorderFocus\":\"1px solid var(--lia-bs-white)\",\"primaryBoxShadowFocus\":\"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)\",\"secondaryTextColor\":\"var(--lia-bs-gray-900)\",\"secondaryTextHoverColor\":\"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) *\r\n0.95))\",\"secondaryTextActiveColor\":\"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) *\r\n0.9))\",\"secondaryBgColor\":\"var(--lia-bs-gray-200)\",\"secondaryBgHoverColor\":\"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))\",\"secondaryBgActiveColor\":\"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))\",\"secondaryBorder\":\"1px solid\r\ntransparent\",\"secondaryBorderHover\":\"1px solid transparent\",\"secondaryBorderActive\":\"1px solid\r\ntransparent\",\"secondaryBorderFocus\":\"1px solid transparent\",\"secondaryBoxShadowFocus\":\"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l),\r\n0.2)\",\"tertiaryTextColor\":\"var(--lia-bs-gray-900)\",\"tertiaryTextHoverColor\":\"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))\",\"tertiaryTextActiveColor\":\"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-\r\ns), calc(var(--lia-bs-gray-900-l) *\r\n0.9))\",\"tertiaryBgColor\":\"transparent\",\"tertiaryBgHoverColor\":\"transparent\",\"tertiaryBgActiveColor\":\"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.04)\",\"tertiaryBorder\":\"1px solid\r\ntransparent\",\"tertiaryBorderHover\":\"1px solid hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l),\r\n0.08)\",\"tertiaryBorderActive\":\"1px solid transparent\",\"tertiaryBorderFocus\":\"1px solid\r\ntransparent\",\"tertiaryBoxShadowFocus\":\"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)\",\"destructiveTextColor\":\"var(--lia-bs-danger)\",\"destructiveTextHoverColor\":\"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) *\r\n0.95))\",\"destructiveTextActiveColor\":\"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) *\r\n0.9))\",\"destructiveBgColor\":\"var(--lia-bs-gray-200)\",\"destructiveBgHoverColor\":\"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))\",\"destructiveBgActiveColor\":\"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))\",\"destructiveBorder\":\"1px solid\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 13 of 29\n\ntransparent\",\"destructiveBorderHover\":\"1px solid transparent\",\"destructiveBorderActive\":\"1px solid\r\ntransparent\",\"destructiveBorderFocus\":\"1px solid transparent\",\"destructiveBoxShadowFocus\":\"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l),\r\n0.2)\",\"__typename\":\"ButtonsThemeSettings\"},\"border\":{\"color\":\"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l),\r\n0.08)\",\"mainContent\":\"NONE\",\"sideContent\":\"LIGHT\",\"radiusSm\":\"3px\",\"radius\":\"5px\",\"radiusLg\":\"9px\",\"radius50\":\"100vw\",\"__typename\":\"BorderT\r\n{\"xs\":\"0 0 0 1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.08), 0 3px 0 -1px\r\nhsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.16)\",\"sm\":\"0 2px 4px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.12)\",\"md\":\"0 5px 15px hsla(var(--lia-bs-gray-900-h), var(--\r\nlia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)\",\"lg\":\"0 10px 30px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s),\r\nvar(--lia-bs-gray-900-l), 0.3)\",\"__typename\":\"BoxShadowThemeSettings\"},\"cards\":{\"bgColor\":\"var(--lia-panel-bg-color)\",\"borderRadius\":\"var(--lia-panel-border-radius)\",\"boxShadow\":\"var(--lia-box-shadow-xs)\",\"__typename\":\"CardsThemeSettings\"},\"chip\":\r\n{\"maxWidth\":\"300px\",\"height\":\"30px\",\"__typename\":\"ChipThemeSettings\"},\"coreTypes\":\r\n{\"defaultMessageLinkColor\":\"var(--lia-bs-link-color)\",\"defaultMessageLinkDecoration\":\"none\",\"defaultMessageLinkFontStyle\":\"NORMAL\",\"defaultMessageLinkFontWeight\":\"400\",\"defaultMessageF\r\n-lia-bs-font-family-base)\",\"forumColor\":\"#4099E2\",\"forumFontFamily\":\"var(--lia-bs-font-family-base)\",\"forumFontWeight\":\"var(--lia-default-message-font-weight)\",\"forumLineHeight\":\"var(--lia-bs-line-height-base)\",\"forumFontStyle\":\"var(--lia-default-message-font-style)\",\"forumMessageLinkColor\":\"var(--lia-default-message-link-color)\",\"forumMessageLinkDecoration\":\"var(--lia-default-message-link-decoration)\",\"forumMessageLinkFontStyle\":\"var(--\r\nlia-default-message-link-font-style)\",\"forumMessageLinkFontWeight\":\"var(--lia-default-message-link-font-weight)\",\"forumSolvedColor\":\"#148563\",\"blogColor\":\"#1CBAA0\",\"blogFontFamily\":\"var(--lia-bs-font-family-base)\",\"blogFontWeight\":\"var(--lia-default-message-font-weight)\",\"blogLineHeight\":\"1.75\",\"blogFontStyle\":\"var(--lia-default-message-font-style)\",\"blogMessageLinkColor\":\"var(--lia-default-message-link-color)\",\"blogMessageLinkDecoration\":\"var(--lia-default-message-link-decoration)\",\"blogMessageLinkFontStyle\":\"var(--lia-default-message-link-font-style)\",\"blogMessageLinkFontWeight\":\"var(--lia-default-message-link-font-weight)\",\"tkbColor\":\"#4C6B90\",\"tkbFontFamily\":\"var(--lia-bs-font-family-base)\",\"tkbFontWeight\":\"var(--lia-default-message-font-weight)\",\"tkbLineHeight\":\"1.75\",\"tkbFontStyle\":\"var(--lia-default-message-font-style)\",\"tkbMessageLinkColor\":\"var(--lia-default-message-link-color)\",\"tkbMessageLinkDecoration\":\"var(--lia-default-message-link-decoration)\",\"tkbMessageLinkFontStyle\":\"var(--lia-default-message-link-font-style)\",\"tkbMessageLinkFontWeight\":\"var(--lia-default-message-link-font-weight)\",\"qandaColor\":\"#4099E2\",\"qandaFontFamily\":\"var(--lia-bs-font-family-base)\",\"qandaFontWeight\":\"var(--lia-default-message-font-weight)\",\"qandaLineHeight\":\"var(--lia-bs-line-height-base)\",\"qandaFontStyle\":\"var(--lia-default-message-link-font-style)\",\"qandaMessageLinkColor\":\"var(--lia-default-message-link-color)\",\"qandaMessageLinkDecoration\":\"var(--lia-default-message-link-decoration)\",\"qandaMessageLinkFontStyle\":\"var(--\r\nlia-default-message-link-font-style)\",\"qandaMessageLinkFontWeight\":\"var(--lia-default-message-link-font-weight)\",\"qandaSolvedColor\":\"#3FA023\",\"ideaColor\":\"#FF8000\",\"ideaFontFamily\":\"var(--lia-bs-font-family-base)\",\"ideaFontWeight\":\"var(--lia-default-message-font-weight)\",\"ideaLineHeight\":\"var(--lia-bs-line-height-base)\",\"ideaFontStyle\":\"var(--lia-default-message-font-style)\",\"ideaMessageLinkColor\":\"var(--lia-default-message-link-color)\",\"ideaMessageLinkDecoration\":\"var(--lia-default-message-link-decoration)\",\"ideaMessageLinkFontStyle\":\"var(--lia-default-message-link-font-style)\",\"ideaMessageLinkFontWeight\":\"var(--lia-default-message-link-font-weight)\",\"contestColor\":\"#FCC845\",\"contestFontFamily\":\"var(--lia-bs-font-family-base)\",\"contestFontWeight\":\"var(--lia-default-message-font-weight)\",\"contestLineHeight\":\"var(--lia-bs-line-height-base)\",\"contestFontStyle\":\"var(--lia-default-message-link-font-style)\",\"contestMessageLinkColor\":\"var(--lia-default-message-link-color)\",\"contestMessageLinkDecoration\":\"var(--lia-default-message-link-decoration)\",\"contestMessageLinkFontStyle\":\"ITALIC\",\"contestMessageLinkFontWeight\":\"var(--lia-default-message-link-font-weight)\",\"occasionColor\":\"#bc341b\",\"occasionFontFamily\":\"var(--lia-bs-font-family-base)\",\"occasionFontWeight\":\"var(--lia-default-message-font-weight)\",\"occasionLineHeight\":\"var(--lia-bs-line-height-base)\",\"occasionFontStyle\":\"var(--lia-default-message-font-style)\",\"occasionMessageLinkColor\":\"var(--lia-default-message-link-color)\",\"occasionMessageLinkDecoration\":\"var(--lia-default-message-link-decoration)\",\"occasionMessageLinkFontStyle\":\"var(--lia-default-message-link-font-style)\",\"occasionMessageLinkFontWeight\":\"var(--lia-default-message-link-font-weight)\",\"grouphubColor\":\"#333333\",\"categoryColor\":\"#949494\",\"communityColor\":\"#FFFFFF\",\"productColor\":\"#949494\",\"__typename\":\"CoreTypesT\r\n{\"black\":\"#000000\",\"white\":\"#FFFFFF\",\"gray100\":\"#F7F7F7\",\"gray200\":\"#F7F7F7\",\"gray300\":\"#E8E8E8\",\"gray400\":\"#D9D9D9\",\"gray500\":\"#CCCC\r\n-lia-bs-primary)\",\"custom\":[\"#D3F5A4\",\"#243A5E\"],\"__typename\":\"ColorsThemeSettings\"},\"divider\":\r\n{\"size\":\"3px\",\"marginLeft\":\"4px\",\"marginRight\":\"4px\",\"borderRadius\":\"50%\",\"bgColor\":\"var(--lia-bs-gray-600)\",\"bgColorActive\":\"var(--lia-bs-gray-600)\",\"__typename\":\"DividerThemeSettings\"},\"dropdown\":{\"fontSize\":\"var(--\r\nlia-bs-font-size-sm)\",\"borderColor\":\"var(--lia-bs-border-color)\",\"borderRadius\":\"var(--lia-bs-border-radius-sm)\",\"dividerBg\":\"var(--lia-bs-gray-300)\",\"itemPaddingY\":\"5px\",\"itemPaddingX\":\"20px\",\"headerColor\":\"var(--lia-bs-gray-700)\",\"__typename\":\"DropdownThemeSettings\"},\"email\":{\"link\":\r\n{\"color\":\"#0069D4\",\"hoverColor\":\"#0061c2\",\"decoration\":\"none\",\"hoverDecoration\":\"underline\",\"__typename\":\"EmailLinkSettings\"},\"border\":\r\n{\"color\":\"#e4e4e4\",\"__typename\":\"EmailBorderSettings\"},\"buttons\":\r\n{\"borderRadiusLg\":\"5px\",\"paddingXLg\":\"16px\",\"paddingYLg\":\"7px\",\"fontWeight\":\"700\",\"primaryTextColor\":\"#ffffff\",\"primaryTextHoverColor\":\"#fffff\r\nsolid transparent\",\"primaryBorderHover\":\"1px solid transparent\",\"__typename\":\"EmailButtonsSettings\"},\"panel\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 14 of 29\n\n{\"borderRadius\":\"5px\",\"borderColor\":\"#e4e4e4\",\"__typename\":\"EmailPanelSettings\"},\"__typename\":\"EmailThemeSettings\"},\"emoji\":\r\n{\"skinToneDefault\":\"#ffcd43\",\"skinToneLight\":\"#fae3c5\",\"skinToneMediumLight\":\"#e2cfa5\",\"skinToneMedium\":\"#daa478\",\"skinToneMediumDark\":\"#\r\n{\"color\":\"var(--lia-bs-body-color)\",\"fontFamily\":\"Segoe\r\nUI\",\"fontStyle\":\"NORMAL\",\"fontWeight\":\"400\",\"h1FontSize\":\"34px\",\"h2FontSize\":\"32px\",\"h3FontSize\":\"28px\",\"h4FontSize\":\"24px\",\"h5FontSize\":\"20\r\n-lia-bs-headings-font-weight)\",\"h2FontWeight\":\"var(--lia-bs-headings-font-weight)\",\"h3FontWeight\":\"var(--lia-bs-headings-font-weight)\",\"h4FontWeight\":\"var(--lia-bs-headings-font-weight)\",\"h5FontWeight\":\"var(--lia-bs-headings-font-weight)\",\"h6FontWeight\":\"var(--lia-bs-headings-font-weight)\",\"__typename\":\"HeadingThemeSettings\"},\"icons\":\r\n{\"size10\":\"10px\",\"size12\":\"12px\",\"size14\":\"14px\",\"size16\":\"16px\",\"size20\":\"20px\",\"size24\":\"24px\",\"size30\":\"30px\",\"size40\":\"40px\",\"size50\":\"50px\",\"s\r\n{\"bgColor\":\"var(--lia-bs-gray-900)\",\"titleColor\":\"var(--lia-bs-white)\",\"controlColor\":\"var(--lia-bs-white)\",\"controlBgColor\":\"var(--lia-bs-gray-800)\",\"__typename\":\"ImagePreviewThemeSettings\"},\"input\":\r\n{\"borderColor\":\"var(--lia-bs-gray-600)\",\"disabledColor\":\"var(--lia-bs-gray-600)\",\"focusBorderColor\":\"var(--lia-bs-primary)\",\"labelMarginBottom\":\"10px\",\"btnFontSize\":\"var(--lia-bs-font-size-sm)\",\"focusBoxShadow\":\"0 0 0 3px hsla(var(-\r\n-lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l),\r\n0.2)\",\"checkLabelMarginBottom\":\"2px\",\"checkboxBorderRadius\":\"3px\",\"borderRadiusSm\":\"var(--lia-bs-border-radius-sm)\",\"borderRadius\":\"var(--lia-bs-border-radius)\",\"borderRadiusLg\":\"var(--lia-bs-border-radius-lg)\",\"formTextMarginTop\":\"4px\",\"textAreaBorderRadius\":\"var(--lia-bs-border-radius)\",\"activeFillColor\":\"var(--lia-bs-primary)\",\"__typename\":\"InputThemeSettings\"},\"loading\":{\"dotDarkColor\":\"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.2)\",\"dotLightColor\":\"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l),\r\n0.5)\",\"barDarkColor\":\"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l),\r\n0.06)\",\"barLightColor\":\"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l),\r\n0.4)\",\"__typename\":\"LoadingThemeSettings\"},\"link\":{\"color\":\"var(--lia-bs-primary)\",\"hoverColor\":\"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) -\r\n10%))\",\"decoration\":\"none\",\"hoverDecoration\":\"underline\",\"__typename\":\"LinkThemeSettings\"},\"listGroup\":\r\n{\"itemPaddingY\":\"15px\",\"itemPaddingX\":\"15px\",\"borderColor\":\"var(--lia-bs-gray-300)\",\"__typename\":\"ListGroupThemeSettings\"},\"modal\":{\"contentTextColor\":\"var(--lia-bs-body-color)\",\"contentBg\":\"var(--lia-bs-white)\",\"backgroundBg\":\"var(--lia-bs-black)\",\"smSize\":\"440px\",\"mdSize\":\"760px\",\"lgSize\":\"1080px\",\"backdropOpacity\":0.3,\"contentBoxShadowXs\":\"var(--lia-bs-box-shadow-sm)\",\"contentBoxShadow\":\"var(--lia-bs-box-shadow)\",\"headerFontWeight\":\"700\",\"__typename\":\"ModalThemeSettings\"},\"navbar\":{\"position\":\"FIXED\",\"background\":\r\n{\"attachment\":null,\"clip\":null,\"color\":\"var(--lia-bs-white)\",\"imageAssetName\":\"\",\"imageLastModified\":\"0\",\"origin\":null,\"position\":\"CENTER_CENTER\",\"repeat\":\"NO_REPEAT\",\"size\":\"COVER\",\"__typ\r\nsolid var(--lia-bs-border-color)\",\"boxShadow\":\"var(--lia-bs-box-shadow-sm)\",\"brandMarginRight\":\"30px\",\"brandMarginRightSm\":\"10px\",\"brandLogoHeight\":\"30px\",\"linkGap\":\"10px\",\"linkJustifyContent\":\"flex-start\",\"linkPaddingY\":\"5px\",\"linkPaddingX\":\"10px\",\"linkDropdownPaddingY\":\"9px\",\"linkDropdownPaddingX\":\"var(--lia-nav-link-px)\",\"linkColor\":\"var(--lia-bs-body-color)\",\"linkHoverColor\":\"var(--lia-bs-primary)\",\"linkFontSize\":\"var(--lia-bs-font-size-sm)\",\"linkFontStyle\":\"NORMAL\",\"linkFontWeight\":\"400\",\"linkTextTransform\":\"NONE\",\"linkLetterSpacing\":\"normal\",\"linkBorderRadius\":\"var(-\r\n-lia-bs-border-radius-sm)\",\"linkBgColor\":\"transparent\",\"linkBgHoverColor\":\"transparent\",\"linkBorder\":\"none\",\"linkBorderHover\":\"none\",\"linkBoxShadow\":\"none\",\"linkBoxS\r\n-lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)\",\"controllerBgHoverColor\":\"hsla(var(--lia-bs-black-h),\r\nvar(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)\",\"controllerIconColor\":\"var(--lia-bs-body-color)\",\"controllerIconHoverColor\":\"var(--lia-bs-body-color)\",\"controllerTextColor\":\"var(--lia-nav-controller-icon-color)\",\"controllerTextHoverColor\":\"var(--lia-nav-controller-icon-hover-color)\",\"controllerHighlightColor\":\"hsla(30, 100%,\r\n50%)\",\"controllerHighlightTextColor\":\"var(--lia-yiq-light)\",\"controllerBorderRadius\":\"var(--lia-border-radius-50)\",\"hamburgerColor\":\"var(--lia-nav-controller-icon-color)\",\"hamburgerHoverColor\":\"var(--lia-nav-controller-icon-color)\",\"hamburgerBgColor\":\"transparent\",\"hamburgerBgHoverColor\":\"transparent\",\"hamburgerBorder\":\"none\",\"hamburgerBorderHover\":\"none\",\"collap\r\n-lia-nav-link-color)\",\"collapseMenuDividerOpacity\":0.16,\"__typename\":\"NavbarThemeSettings\"},\"pager\":\r\n{\"textColor\":\"var(--lia-bs-link-color)\",\"textFontWeight\":\"var(--lia-font-weight-md)\",\"textFontSize\":\"var(--lia-bs-font-size-sm)\",\"__typename\":\"PagerThemeSettings\"},\"panel\":{\"bgColor\":\"var(--lia-bs-white)\",\"borderRadius\":\"var(--lia-bs-border-radius)\",\"borderColor\":\"var(--lia-bs-border-color)\",\"boxShadow\":\"none\",\"__typename\":\"PanelThemeSettings\"},\"popover\":\r\n{\"arrowHeight\":\"8px\",\"arrowWidth\":\"16px\",\"maxWidth\":\"300px\",\"minWidth\":\"100px\",\"headerBg\":\"var(--lia-bs-white)\",\"borderColor\":\"var(--lia-bs-border-color)\",\"borderRadius\":\"var(--lia-bs-border-radius)\",\"boxShadow\":\"0 0.5rem\r\n1rem hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l),\r\n0.15)\",\"__typename\":\"PopoverThemeSettings\"},\"prism\":{\"color\":\"#000000\",\"bgColor\":\"#f5f2f0\",\"fontFamily\":\"var(--font-family-monospace)\",\"fontSize\":\"var(--lia-bs-font-size-base)\",\"fontWeightBold\":\"var(--lia-bs-font-weight-bold)\",\"fontStyleItalic\":\"italic\",\"tabSize\":2,\"highlightColor\":\"#b3d4fc\",\"commentColor\":\"#62707e\",\"punctuationColor\":\"#6f6f6f\",\"namespaceOpacity\":\"\r\n0%, 100%,\r\n0.5)\",\"keywordColor\":\"#0076a9\",\"functionColor\":\"#d3284b\",\"variableColor\":\"#c14700\",\"__typename\":\"PrismThemeSettings\"},\"rte\":\r\n{\"bgColor\":\"var(--lia-bs-white)\",\"borderRadius\":\"var(--lia-panel-border-radius)\",\"boxShadow\":\" var(--lia-panel-box-shadow)\",\"customColor1\":\"#bfedd2\",\"customColor2\":\"#fbeeb8\",\"customColor3\":\"#f8cac6\",\"customColor4\":\"#eccafa\",\"customColor5\":\"#c2e0f4\",\"custo\r\n53%, 51%, 0.4)\",\"diffChangedColor\":\"hsla(43, 97%, 63%, 0.4)\",\"diffNoneColor\":\"hsla(0, 0%, 80%,\r\n0.4)\",\"diffRemovedColor\":\"hsla(9, 74%, 47%,\r\n0.4)\",\"specialMessageHeaderMarginTop\":\"40px\",\"specialMessageHeaderMarginBottom\":\"20px\",\"specialMessageItemMarginTop\":\"0\",\"specialMessageIt\r\n-lia-bs-gray-https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 15 of 29\n\n700)\",\"tableBorderStyle\":\"solid\",\"tableCellPaddingX\":\"5px\",\"tableCellPaddingY\":\"5px\",\"tableTextColor\":\"var(--lia-bs-body-color)\",\"tableVerticalAlign\":\"middle\",\"__typename\":\"RteThemeSettings\"},\"tags\":{\"bgColor\":\"var(--lia-bs-gray-200)\",\"bgHoverColor\":\"var(--lia-bs-gray-400)\",\"borderRadius\":\"var(--lia-bs-border-radius-sm)\",\"color\":\"var(--lia-bs-body-color)\",\"hoverColor\":\"var(--lia-bs-body-color)\",\"fontWeight\":\"var(--lia-font-weight-md)\",\"fontSize\":\"var(--lia-font-size-xxs)\",\"textTransform\":\"UPPERCASE\",\"letterSpacing\":\"0.5px\",\"__typename\":\"TagsThemeSettings\"},\"toasts\":\r\n{\"borderRadius\":\"var(--lia-bs-border-radius)\",\"paddingX\":\"12px\",\"__typename\":\"ToastsThemeSettings\"},\"typography\":\r\n{\"fontFamilyBase\":\"Segoe\r\nUI\",\"fontStyleBase\":\"NORMAL\",\"fontWeightBase\":\"400\",\"fontWeightLight\":\"300\",\"fontWeightNormal\":\"400\",\"fontWeightMd\":\"500\",\"fontWeightBold\r\n[{\"source\":\"SERVER\",\"name\":\"Segoe UI\",\"styles\":[{\"style\":\"NORMAL\",\"weight\":\"400\",\"__typename\":\"FontStyleData\"},\r\n{\"style\":\"NORMAL\",\"weight\":\"300\",\"__typename\":\"FontStyleData\"},\r\n{\"style\":\"NORMAL\",\"weight\":\"600\",\"__typename\":\"FontStyleData\"},\r\n{\"style\":\"NORMAL\",\"weight\":\"700\",\"__typename\":\"FontStyleData\"},\r\n{\"style\":\"ITALIC\",\"weight\":\"400\",\"__typename\":\"FontStyleData\"}],\"assetNames\":[\"SegoeUI-normal-400.woff2\",\"SegoeUI-normal-300.woff2\",\"SegoeUI-normal-600.woff2\",\"SegoeUI-normal-700.woff2\",\"SegoeUI-italic-400.woff2\"],\"__typename\":\"CustomFont\"},{\"source\":\"SERVER\",\"name\":\"MWF Fluent Icons\",\"styles\":\r\n[{\"style\":\"NORMAL\",\"weight\":\"400\",\"__typename\":\"FontStyleData\"}],\"assetNames\":[\"MWFFluentIcons-normal-400.woff2\"],\"__typename\":\"CustomFont\"}],\"__typename\":\"TypographyThemeSettings\"},\"unstyledListItem\":\r\n{\"marginBottomSm\":\"5px\",\"marginBottomMd\":\"10px\",\"marginBottomLg\":\"15px\",\"marginBottomXl\":\"20px\",\"marginBottomXxl\":\"25px\",\"__typename\"\r\n{\"light\":\"#ffffff\",\"dark\":\"#000000\",\"__typename\":\"YiqThemeSettings\"},\"colorLightness\":\r\n{\"primaryDark\":0.36,\"primaryLight\":0.74,\"primaryLighter\":0.89,\"primaryLightest\":0.95,\"infoDark\":0.39,\"infoLight\":0.72,\"infoLighter\":0.85,\"infoLighte\r\nshared/client/components/common/Loading/LoadingDot-1775111751244\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/common/Loading/LoadingDot-1775111751244\",\"value\":\r\n{\"title\":\"Loading...\"},\"localOverride\":false},\"CachedAsset:quilt:o365.prod:pages/blogs/BlogMessagePage:board:MicrosoftSentinelBlog-1775111749391\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"quilt:o365.prod:pages/blogs/BlogMessagePage:board:MicrosoftSentinelBlog-1775111749391\",\"value\":{\"id\":\"BlogMessagePage\",\"container\":{\"id\":\"Common\",\"headerProps\":\r\n{\"backgroundImageProps\":null,\"backgroundColor\":null,\"addComponents\":null,\"removeComponents\":\r\n[\"community.widget.bannerWidget\"],\"componentOrder\":null,\"__typename\":\"QuiltContainerSectionProps\"},\"headerComponentProps\":\r\n{\"community.widget.breadcrumbWidget\":\r\n{\"disableLastCrumbForDesktop\":false}},\"footerProps\":null,\"footerComponentProps\":null,\"items\":[{\"id\":\"blog-article\",\"layout\":\"ONE_COLUMN\",\"bgColor\":null,\"showTitle\":null,\"showDescription\":null,\"textPosition\":null,\"textColor\":null,\"sectionEditLevel\":\"LOC\r\n{\"main\":[{\"id\":\"blogs.widget.blogArticleWidget\",\"className\":\"lia-blog-container\",\"props\":null,\"__typename\":\"QuiltComponent\"}],\"__typename\":\"OneSectionColumns\"}},{\"id\":\"section-1729184836777\",\"layout\":\"MAIN_SIDE\",\"bgColor\":\"transparent\",\"showTitle\":false,\"showDescription\":false,\"textPosition\":\"CENTER\",\"textColor\":\"var\r\n-lia-bs-body-color)\",\"sectionEditLevel\":null,\"bgImage\":null,\"disableSpacing\":null,\"edgeToEdgeDisplay\":null,\"fullHeight\":null,\"showBorder\":null,\"__typename\":\"Ma\r\n{\"main\":[],\"side\":[{\"id\":\"custom.widget.UnregisteredCTAWidget\",\"className\":null,\"props\":\r\n{\"widgetVisibility\":\"anonymousOnly\",\"useTitle\":true,\"useBackground\":false,\"title\":\"\",\"lazyLoad\":false,\"widgetChooser\":\"custom.widget.UnregisteredCT\r\ncomponents/common/EmailVerification-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/common/EmailVerification-1775111751244\",\"value\":{\"email.verification.title\":\"Email Verification\r\nRequired\",\"email.verification.message.update.email\":\"To participate in the community, you must first verify your email\r\naddress. The verification email was sent to {email}. To change your email, visit My\r\nSettings.\",\"email.verification.message.resend.email\":\"To participate in the community, you must first verify your email\r\naddress. The verification email was sent to {email}. Resend email.\"},\"localOverride\":false},\"CachedAsset:text:en_US-pages/blogs/BlogMessagePage-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-pages/blogs/BlogMessagePage-1775111751244\",\"value\":{\"title\":\"{contextMessageSubject} |\r\n{communityTitle}\",\"errorMissing\":\"This blog post cannot be found\",\"name\":\"Blog Message Page\",\"section.blog-article.title\":\"Blog Post\",\"archivedMessageTitle\":\"This Content Has Been Archived\",\"section.section-1729184836777.title\":\"\",\"section.section-1729184836777.description\":\"\",\"section.CncIde.title\":\"Blog\r\nPost\",\"section.tifEmD.description\":\"\",\"section.tifEmD.title\":\"\"},\"localOverride\":false},\"CachedAsset:quiltWrapper:o365.prod:Common:1775111734980\"\r\n{\"__typename\":\"CachedAsset\",\"id\":\"quiltWrapper:o365.prod:Common:1775111734980\",\"value\":\r\n{\"id\":\"Common\",\"header\":{\"backgroundImageProps\":\r\n{\"assetName\":null,\"backgroundSize\":\"COVER\",\"backgroundRepeat\":\"NO_REPEAT\",\"backgroundPosition\":\"CENTER_CENTER\",\"lastModified\":null,\"\r\n[{\"id\":\"community.widget.navbarWidget\",\"props\":\r\n{\"showUserName\":true,\"showRegisterLink\":true,\"useIconLanguagePicker\":true,\"useLabelLanguagePicker\":true,\"style\":\r\n{\"boxShadow\":\"var(--lia-bs-box-shadow-sm)\",\"linkFontWeight\":\"400\",\"controllerHighlightColor\":\"hsla(30, 100%,\r\n50%)\",\"dropdownDividerMarginBottom\":\"10px\",\"hamburgerBorderHover\":\"none\",\"linkFontSize\":\"14px\",\"linkBoxShadowHover\":\"none\",\"backgroundO\r\n-lia-border-radius-50)\",\"hamburgerBgColor\":\"transparent\",\"linkTextBorderBottom\":\"none\",\"hamburgerColor\":\"var(--lia-nav-controller-icon-color)\",\"brandLogoHeight\":\"30px\",\"linkLetterSpacing\":\"normal\",\"linkBgHoverColor\":\"transparent\",\"collapseMenuDividerOpacity\":0.16,\"paddingBottom\r\nsolid var(--lia-bs-border-color)\",\"hamburgerBorder\":\"none\",\"dropdownPaddingX\":\"10px\",\"brandMarginRightSm\":\"10px\",\"linkBoxShadow\":\"none\",\"linkJustifyContent\":\"flex-start\",\"linkColor\":\"var(--lia-bs-body-color)\",\"collapseMenuDividerBg\":\"var(--lia-nav-link-https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 16 of 29\n\ncolor)\",\"dropdownPaddingTop\":\"10px\",\"controllerTextColor\":\"var(--lia-nav-controller-icon-color)\",\"controllerHighlightTextColor\":\"var(--lia-yiq-dark)\",\"background\":{\"imageAssetName\":\"\",\"color\":\"var(--lia-bs-white)\",\"size\":\"COVER\",\"repeat\":\"NO_REPEAT\",\"position\":\"CENTER_CENTER\",\"imageLastModified\":\"\"},\"linkBorderRadius\":\"var(-\r\n-lia-bs-border-radius-sm)\",\"linkHoverColor\":\"var(--lia-bs-body-color)\",\"position\":\"FIXED\",\"linkBorder\":\"none\",\"linkTextBorderBottomHover\":\"2px solid var(--lia-bs-primary)\",\"brandMarginRight\":\"30px\",\"hamburgerHoverColor\":\"var(--lia-nav-controller-icon-color)\",\"linkBorderHover\":\"none\",\"collapseMenuMarginLeft\":\"20px\",\"linkFontStyle\":\"NORMAL\",\"linkPaddingX\":\"10px\",\"controllerTextHoverColor\":\r\n-lia-nav-controller-icon-hover-color)\",\"paddingTop\":\"15px\",\"linkPaddingY\":\"5px\",\"linkTextTransform\":\"NONE\",\"dropdownBorderColor\":\"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)\",\"controllerBgHoverColor\":\"hsla(var(--lia-bs-black-h), var(--\r\nlia-bs-black-s), var(--lia-bs-black-l), 0.1)\",\"linkDropdownPaddingX\":\"var(--lia-nav-link-px)\",\"linkBgColor\":\"transparent\",\"linkDropdownPaddingY\":\"9px\",\"controllerIconColor\":\"var(--lia-bs-body-color)\",\"dropdownDividerMarginTop\":\"10px\",\"linkGap\":\"10px\",\"controllerIconHoverColor\":\"var(--lia-bs-body-color)\"},\"links\":{\"sideLinks\":[],\"logoLinks\":[],\"mainLinks\":[{\"children\":\r\n[],\"linkType\":\"INTERNAL\",\"id\":\"gxcuf89792\",\"params\":{},\"routeName\":\"CommunityPage\"},{\"children\":\r\n[],\"linkType\":\"EXTERNAL\",\"id\":\"community-hub-link\",\"url\":\"/Directory\",\"target\":\"SELF\"},{\"children\":\r\n[{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoft365-link\",\"params\":\r\n{\"categoryId\":\"microsoft365\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-windows-link\",\"params\":{\"categoryId\":\"Windows\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoft-security-link\",\"params\":{\"categoryId\":\"microsoft-security\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoft-teams-link\",\"params\":\r\n{\"categoryId\":\"MicrosoftTeams\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-azure-link\",\"params\":{\"categoryId\":\"Azure\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-content_management-link\",\"params\":{\"categoryId\":\"Content_Management\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoftintune-link\",\"params\":\r\n{\"categoryId\":\"microsoftintune\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-exchange-link\",\"params\":{\"categoryId\":\"Exchange\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-windows-server-link\",\"params\":{\"categoryId\":\"Windows-Server\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-outlook-link\",\"params\":\r\n{\"categoryId\":\"Outlook\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoft365-copilot-link\",\"params\":{\"categoryId\":\"Microsoft365Copilot\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"EXTERNAL\",\"id\":\"Common_Enntvz-view-all-products-link\",\"url\":\"/Directory\",\"target\":\"SELF\"}],\"linkType\":\"EXTERNAL\",\"id\":\"products-link\",\"url\":\"/\",\"target\":\"SELF\"},\r\n{\"children\":[{\"linkType\":\"INTERNAL\",\"id\":\"Common-education-sector-link\",\"params\":\r\n{\"categoryId\":\"EducationSector\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-partner-community-link\",\"params\":{\"categoryId\":\"PartnerCommunity\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-healthcare-and-life-sciences-link\",\"params\":\r\n{\"categoryId\":\"HealthcareAndLifeSciences\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-i-t-ops-talk-link\",\"params\":{\"categoryId\":\"ITOpsTalk\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-public-sector-link\",\"params\":\r\n{\"categoryId\":\"PublicSector\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoftfor-nonprofits-link\",\"params\":{\"categoryId\":\"MicrosoftforNonprofits\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-io-t-link\",\"params\":{\"categoryId\":\"IoT\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-mvp-link\",\"params\":{\"categoryId\":\"mvp\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoft-mechanics-link\",\"params\":\r\n{\"categoryId\":\"MicrosoftMechanics\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-driving-adoption-link\",\"params\":{\"categoryId\":\"DrivingAdoption\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoft-learn-for-educators-link\",\"params\":{\"categoryId\":\"microsoft-learn-for-educators\"},\"routeName\":\"CategoryPage\"}],\"linkType\":\"EXTERNAL\",\"id\":\"topics-link\",\"url\":\"/\",\"target\":\"SELF\"},\r\n{\"children\":[],\"linkType\":\"EXTERNAL\",\"id\":\"all-blogs-link\",\"url\":\"/Blogs\",\"target\":\"SELF\"},{\"children\":\r\n[],\"linkType\":\"EXTERNAL\",\"id\":\"all-events-link\",\"url\":\"/Events\",\"target\":\"SELF\"},{\"children\":\r\n[{\"linkType\":\"INTERNAL\",\"id\":\"Skills-Hub-link\",\"params\":{\"categoryId\":\"skills-hub\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Skills-Hub-Blog\",\"params\":{\"boardId\":\"skills-hub-blog\",\"categoryId\":\"skills-hub\"},\"routeName\":\"BlogBoardPage\"},{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-LD\",\"url\":\"/category/skills-hub?\r\ntab=grouphub\",\"target\":\"BLANK\"},{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-dynamics\",\"url\":\"https://docs.microsoft.com/learn/dynamics365/?WT.mc_id=techcom_header-webpage-m365\",\"target\":\"BLANK\"},{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-m365\",\"url\":\"https://docs.microsoft.com/learn/m365/?wt.mc_id=techcom_header-webpage-m365\",\"target\":\"BLANK\"},\r\n{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-security\",\"url\":\"https://docs.microsoft.com/learn/topics/sci/?\r\nwt.mc_id=techcom_header-webpage-m365\",\"target\":\"BLANK\"},{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-pp\",\"url\":\"https://docs.microsoft.com/learn/powerplatform/?wt.mc_id=techcom_header-webpage-powerplatform\",\"target\":\"BLANK\"},{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-github\",\"url\":\"https://docs.microsoft.com/learn/github/?wt.mc_id=techcom_header-webpage-github\",\"target\":\"BLANK\"},\r\n{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-teams\",\"url\":\"https://docs.microsoft.com/learn/teams/?\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 17 of 29\n\nwt.mc_id=techcom_header-webpage-teams\",\"target\":\"BLANK\"},{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-net\",\"url\":\"https://docs.microsoft.com/learn/dotnet/?wt.mc_id=techcom_header-webpage-dotnet\",\"target\":\"BLANK\"},\r\n{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-azure\",\"url\":\"https://docs.microsoft.com/learn/azure/?\r\nWT.mc_id=techcom_header-webpage-m365\",\"target\":\"BLANK\"}],\"linkType\":\"INTERNAL\",\"id\":\"Skills-Hub\",\"params\":\r\n{\"categoryId\":\"skills-hub\"},\"routeName\":\"CategoryPage\"},{\"children\":[{\"linkType\":\"INTERNAL\",\"id\":\"Common-community-info-center-link\",\"params\":{\"categoryId\":\"Community-Info-Center\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-usergroups-link\",\"params\":\r\n{\"categoryId\":\"usergroups\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-community-news-desk-link\",\"params\":{\"categoryId\":\"CommunityNewsDesk\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoft-global-community-initiative-link\",\"params\":{\"categoryId\":\"microsoft-global-community-initiative\"},\"routeName\":\"CategoryPage\"}],\"linkType\":\"INTERNAL\",\"id\":\"Common-gxcuf89792-\r\ncommunity\",\"params\":\r\n{},\"routeName\":\"CommunityPage\"}]},\"showSearchIcon\":true,\"languagePickerStyle\":\"iconAndLabel\"},\"__typename\":\"QuiltComponent\"},\r\n{\"id\":\"community.widget.breadcrumbWidget\",\"props\":{\"backgroundColor\":\"transparent\",\"linkHighlightColor\":\"var(--lia-bs-primary)\",\"visualEffects\":{\"showBottomBorder\":true},\"linkTextColor\":\"var(--lia-bs-gray-700)\"},\"__typename\":\"QuiltComponent\"},{\"id\":\"custom.widget.CommunityBanner\",\"props\":\r\n{\"widgetVisibility\":\"signedInOrAnonymous\",\"useTitle\":true,\"usePageWidth\":false,\"useBackground\":false,\"title\":\"\",\"lazyLoad\":false},\"__typename\":\"Qu\r\n{\"id\":\"custom.widget.ChatbotWidget\",\"props\":\r\n{\"customComponentId\":\"custom.widget.ChatbotWidget\",\"cDisplay_form\":true,\"useBackground\":false},\"__typename\":\"QuiltComponent\"},\r\n{\"id\":\"custom.widget.HeroBanner\",\"props\":\r\n{\"widgetVisibility\":\"signedInOrAnonymous\",\"usePageWidth\":false,\"useTitle\":true,\"cMax_items\":3,\"useBackground\":false,\"title\":\"\",\"lazyLoad\":false,\"w\r\n{\"backgroundImageProps\":\r\n{\"assetName\":null,\"backgroundSize\":\"COVER\",\"backgroundRepeat\":\"NO_REPEAT\",\"backgroundPosition\":\"CENTER_CENTER\",\"lastModified\":null,\"\r\n[{\"id\":\"custom.widget.SocialSharing\",\"props\":\r\n{\"widgetVisibility\":\"signedInOrAnonymous\",\"useTitle\":true,\"useBackground\":false,\"title\":\"\",\"lazyLoad\":false},\"__typename\":\"QuiltComponent\"},\r\n{\"id\":\"custom.widget.MicrosoftFooter\",\"props\":\r\n{\"widgetVisibility\":\"signedInOrAnonymous\",\"useTitle\":true,\"useBackground\":false,\"title\":\"\",\"lazyLoad\":false},\"__typename\":\"QuiltComponent\"}],\"__ty\r\ncomponents/common/ActionFeedback-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/common/ActionFeedback-1775111751244\",\"value\":\r\n{\"joinedGroupHub.title\":\"Welcome\",\"joinedGroupHub.message\":\"You are now a member of this group and are subscribed\r\nto updates.\",\"groupHubInviteNotFound.title\":\"Invitation Not Found\",\"groupHubInviteNotFound.message\":\"Sorry, we could\r\nnot find your invitation to the group. The owner may have canceled the invite.\",\"groupHubNotFound.title\":\"Group Not\r\nFound\",\"groupHubNotFound.message\":\"The grouphub you tried to join does not exist. It may have been\r\ndeleted.\",\"existingGroupHubMember.title\":\"Already Joined\",\"existingGroupHubMember.message\":\"You are already a\r\nmember of this group.\",\"accountLocked.title\":\"Account Locked\",\"accountLocked.message\":\"Your account has been locked\r\ndue to multiple failed attempts. Try again in {lockoutTime} minutes.\",\"editedGroupHub.title\":\"Changes\r\nSaved\",\"editedGroupHub.message\":\"Your group has been\r\nupdated.\",\"leftGroupHub.title\":\"Goodbye\",\"leftGroupHub.message\":\"You are no longer a member of this group and will not\r\nreceive future updates.\",\"deletedGroupHub.title\":\"Deleted\",\"deletedGroupHub.message\":\"The group has been\r\ndeleted.\",\"groupHubCreated.title\":\"Group Created\",\"groupHubCreated.message\":\"{groupHubName} is ready to\r\nuse\",\"accountClosed.title\":\"Account Closed\",\"accountClosed.message\":\"The account has been closed and you will now be\r\nredirected to the homepage\",\"resetTokenExpired.title\":\"Reset Password Link has\r\nExpired\",\"resetTokenExpired.message\":\"Try resetting your password again\",\"invalidUrl.title\":\"Invalid\r\nURL\",\"invalidUrl.message\":\"The URL you're using is not recognized. Verify your URL and try\r\nagain.\",\"accountClosedForUser.title\":\"Account Closed\",\"accountClosedForUser.message\":\"{userName}'s account is\r\nclosed\",\"inviteTokenInvalid.title\":\"Invitation Invalid\",\"inviteTokenInvalid.message\":\"Your invitation to the community has\r\nbeen canceled or expired.\",\"inviteTokenError.title\":\"Invitation Verification Failed\",\"inviteTokenError.message\":\"The url you\r\nare utilizing is not recognized. Verify your URL and try again\",\"pageNotFound.title\":\"Access\r\nDenied\",\"pageNotFound.message\":\"You do not have access to this area of the community or it doesn't\r\nexist\",\"eventAttending.title\":\"Responded as Attending\",\"eventAttending.message\":\"You'll be notified when there's new\r\nactivity and reminded as the event approaches\",\"eventInterested.title\":\"Responded as\r\nInterested\",\"eventInterested.message\":\"You'll be notified when there's new activity and reminded as the event\r\napproaches\",\"eventNotFound.title\":\"Event Not Found\",\"eventNotFound.message\":\"The event you tried to respond to does\r\nnot exist.\",\"redirectToRelatedPage.title\":\"Showing Related Content\",\"redirectToRelatedPageForBaseUsers.title\":\"Showing\r\nRelated Content\",\"redirectToRelatedPageForBaseUsers.message\":\"The content you are trying to access is\r\narchived\",\"redirectToRelatedPage.message\":\"The content you are trying to access is\r\narchived\",\"relatedUrl.archivalLink.flyoutMessage\":\"The content you are trying to access is archived View Archived\r\nContent\"},\"localOverride\":false},\"CachedAsset:component:custom.widget.CommunityBanner-en-us-1775108434074\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"component:custom.widget.CommunityBanner-en-us-1775108434074\",\"value\":\r\n{\"component\":{\"id\":\"custom.widget.CommunityBanner\",\"template\":\r\n{\"id\":\"CommunityBanner\",\"markupLanguage\":\"REACT\",\"style\":null,\"texts\":null,\"defaults\":{\"config\":{\"applicablePages\":\r\n[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"components\":\r\n[{\"id\":\"custom.widget.CommunityBanner\",\"form\":null,\"config\":null,\"props\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 18 of 29\n\n[],\"__typename\":\"Component\"}],\"grouping\":\"CUSTOM\",\"__typename\":\"ComponentTemplate\"},\"properties\":{\"config\":\r\n{\"applicablePages\":[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"form\":null,\"__typename\":\"Component\",\"localOverride\":false},\"globalCss\":null,\"form\":null},\"localOverride\":\r\nen-us-1775108434074\":{\"__typename\":\"CachedAsset\",\"id\":\"component:custom.widget.ChatbotWidget-en-us-1775108434074\",\"value\":{\"component\":{\"id\":\"custom.widget.ChatbotWidget\",\"template\":\r\n{\"id\":\"ChatbotWidget\",\"markupLanguage\":\"REACT\",\"style\":null,\"texts\":{\"chatbot.references.title\":\"Related\r\nArticles\",\"chatbot.welcome.title\":\"Welcome!\",\"chatbot.welcome.description\":\"I'm here to help you explore and discover\r\ngreat content.\",\"chatbot.welcome.prompt\":\"Ask me a question or choose a suggestion below to get\r\nstarted:\",\"chatbot.welcome.cta\":\"Let's dive in—what would you like to discover today?\",\"chatbot.status.typing\":\"Assistant\r\nis typing…\",\"chatbot.status.error\":\"error\",\"chatbot.error.response\":\"Failed to get response. Please try\r\nagain.\",\"chatbot.error.processing\":\"There was an error processing your message.\",\"chatbot.error.configuration\":\"API URL\r\nnot configured\",\"chatbot.error.network\":\"Network error occurred. Please check your connection and try\r\nagain.\",\"chatbot.error.timeout\":\"Request timed out. Please try again.\",\"chatbot.error.emptyResponse\":\"I couldn't generate a\r\nresponse. Please try rephrasing your question.\",\"chatbot.buttons.send\":\"Send\",\"chatbot.buttons.close\":\"Close\r\nchat\",\"chatbot.buttons.newChat\":\"Start new chat\",\"chatbot.buttons.collapse\":\"Collapse chat\r\npanel\",\"chatbot.buttons.expand\":\"Expand chat panel\",\"chatbot.buttons.fullscreen\":\"Enter\r\nfullscreen\",\"chatbot.buttons.exitFullscreen\":\"Exit fullscreen\",\"chatbot.buttons.like\":\"Like this\r\nresponse\",\"chatbot.buttons.dislike\":\"Dislike this response\",\"chatbot.buttons.removeLike\":\"Remove\r\nlike\",\"chatbot.buttons.removeDislike\":\"Remove dislike\",\"chatbot.aria.chatInput\":\"Chat\r\ninput\",\"chatbot.aria.sendMessage\":\"Send message\",\"chatbot.aria.openChat\":\"Open chat\r\nassistant\",\"chatbot.aria.closeChat\":\"Close chat assistant\",\"chatbot.defaults.title\":\"Ask Tech\r\nCommunity\",\"chatbot.defaults.subtitle\":\"Ask questions – get answers\",\"chatbot.defaults.entryHeading\":\"Find\r\nanswers\",\"chatbot.defaults.entrySubtext\":\"Ask the agent\",\"chatbot.defaults.placeholder\":\"Type your\r\nmessage…\",\"chatbot.defaults.initialMessage\":\"Hi! I'm your assistant. Ask me something or pick a suggestion above to\r\nbegin.\",\"chatbot.suggestions.findBlogs\":\"Find insightful blogs\",\"chatbot.suggestions.exploreEvents\":\"Explore upcoming\r\nevents\",\"chatbot.suggestions.startJourney\":\"Start your journey with something new\",\"chatbot.dialog.endConversation\":\"End\r\nconversation\",\"chatbot.dialog.confirmEndConversation\":\"Do you want to end this conversation and start\r\nover?\",\"chatbot.dialog.endConversationButton\":\"End\r\nconversation\",\"chatbot.dialog.cancel\":\"Cancel\",\"chatbot.error.genericServiceUnavailable\":\"The service is currently\r\nunavailable. Please try again later.\",\"chatbot.error.noResults\":\"We could not find any information related to your query. Try\r\nrephrasing your query.\"},\"defaults\":{\"config\":{\"applicablePages\":\r\n[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"components\":\r\n[{\"id\":\"custom.widget.ChatbotWidget\",\"form\":null,\"config\":null,\"props\":\r\n[],\"__typename\":\"Component\"}],\"grouping\":\"CUSTOM\",\"__typename\":\"ComponentTemplate\"},\"properties\":{\"config\":\r\n{\"applicablePages\":[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"form\":null,\"__typename\":\"Component\",\"localOverride\":false},\"globalCss\":null,\"form\":null},\"localOverride\":\r\nen-us-1775108434074\":{\"__typename\":\"CachedAsset\",\"id\":\"component:custom.widget.HeroBanner-en-us-1775108434074\",\"value\":{\"component\":{\"id\":\"custom.widget.HeroBanner\",\"template\":\r\n{\"id\":\"HeroBanner\",\"markupLanguage\":\"REACT\",\"style\":null,\"texts\":{\"searchPlaceholderText\":\"Search this\r\ncommunity\",\"followActionText\":\"Follow\",\"unfollowActionText\":\"Following\",\"searchOnHoverText\":\"Please enter your\r\nsearch term(s) and then press return key to complete a search.\",\"blogs.sidebar.pagetitle\":\"Latest Blogs | Microsoft Tech\r\nCommunity\",\"followThisNode\":\"Follow this node\",\"unfollowThisNode\":\"Unfollow this\r\nnode\",\"customField.teamsLink.title\":\"Microsoft teams link\",\"customField.teamsLink.label\":\"Teams meeting\r\nurl\"},\"defaults\":{\"config\":{\"applicablePages\":\r\n[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[{\"id\":\"max_items\",\"dataType\":\"NUMBER\",\"list\":false,\"defaultValue\":\"3\",\"label\":\"Max Items\",\"description\":\"The\r\nmaximum number of items to display in the\r\ncarousel\",\"possibleValues\":null,\"control\":\"INPUT\",\"__typename\":\"PropDefinition\"}],\"__typename\":\"ComponentProperties\"},\"components\":\r\n[{\"id\":\"custom.widget.HeroBanner\",\"form\":{\"fields\":\r\n[{\"id\":\"widgetChooser\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\r\n{\"id\":\"title\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":null,\"possi\r\n{\"id\":\"useTitle\",\"validation\":null,\"noValidation\":null,\"dataType\":\"BOOLEAN\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":nul\r\n{\"id\":\"useBackground\",\"validation\":null,\"noValidation\":null,\"dataType\":\"BOOLEAN\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"descripti\r\n{\"id\":\"widgetVisibility\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\r\n{\"id\":\"moreOptions\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":n\r\n{\"id\":\"cMax_items\",\"validation\":null,\"noValidation\":null,\"dataType\":\"NUMBER\",\"list\":false,\"control\":\"INPUT\",\"defaultValue\":\"3\",\"label\":\"Max\r\nItems\",\"description\":\"The maximum number of items to display in the\r\ncarousel\",\"possibleValues\":null,\"__typename\":\"FormField\"}],\"layout\":{\"rows\":\r\n[{\"id\":\"widgetChooserGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"widgetChooser\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":\r\n{\"id\":\"titleGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":[{\"id\":\"title\",\"className\":null,\"__typename\":\"FormFieldRef\"},\r\n{\"id\":\"useTitle\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":null,\"to\r\n{\"id\":\"useBackground\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 19 of 29\n\n[{\"id\":\"useBackground\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\"\r\n{\"id\":\"widgetVisibility\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"widgetVisibility\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\"\r\n{\"id\":\"moreOptionsGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"moreOptions\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":nu\r\n{\"id\":\"componentPropsGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"cMax_items\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":nu\r\n[],\"__typename\":\"Component\"}],\"grouping\":\"CUSTOM\",\"__typename\":\"ComponentTemplate\"},\"properties\":{\"config\":\r\n{\"applicablePages\":[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[{\"id\":\"max_items\",\"dataType\":\"NUMBER\",\"list\":false,\"defaultValue\":\"3\",\"label\":\"Max Items\",\"description\":\"The\r\nmaximum number of items to display in the\r\ncarousel\",\"possibleValues\":null,\"control\":\"INPUT\",\"__typename\":\"PropDefinition\"}],\"__typename\":\"ComponentProperties\"},\"form\":\r\n{\"fields\":\r\n[{\"id\":\"widgetChooser\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\r\n{\"id\":\"title\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":null,\"possi\r\n{\"id\":\"useTitle\",\"validation\":null,\"noValidation\":null,\"dataType\":\"BOOLEAN\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":nul\r\n{\"id\":\"useBackground\",\"validation\":null,\"noValidation\":null,\"dataType\":\"BOOLEAN\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"descripti\r\n{\"id\":\"widgetVisibility\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\r\n{\"id\":\"moreOptions\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":n\r\n{\"id\":\"cMax_items\",\"validation\":null,\"noValidation\":null,\"dataType\":\"NUMBER\",\"list\":false,\"control\":\"INPUT\",\"defaultValue\":\"3\",\"label\":\"Max\r\nItems\",\"description\":\"The maximum number of items to display in the\r\ncarousel\",\"possibleValues\":null,\"__typename\":\"FormField\"}],\"layout\":{\"rows\":\r\n[{\"id\":\"widgetChooserGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"widgetChooser\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":\r\n{\"id\":\"titleGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":[{\"id\":\"title\",\"className\":null,\"__typename\":\"FormFieldRef\"},\r\n{\"id\":\"useTitle\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":null,\"to\r\n{\"id\":\"useBackground\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"useBackground\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\"\r\n{\"id\":\"widgetVisibility\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"widgetVisibility\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\"\r\n{\"id\":\"moreOptionsGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"moreOptions\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":nu\r\n{\"id\":\"componentPropsGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"cMax_items\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":nu\r\n{\"fields\":\r\n[{\"id\":\"widgetChooser\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\r\n{\"id\":\"title\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":null,\"possi\r\n{\"id\":\"useTitle\",\"validation\":null,\"noValidation\":null,\"dataType\":\"BOOLEAN\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":nul\r\n{\"id\":\"useBackground\",\"validation\":null,\"noValidation\":null,\"dataType\":\"BOOLEAN\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"descripti\r\n{\"id\":\"widgetVisibility\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\r\n{\"id\":\"moreOptions\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":n\r\n{\"id\":\"cMax_items\",\"validation\":null,\"noValidation\":null,\"dataType\":\"NUMBER\",\"list\":false,\"control\":\"INPUT\",\"defaultValue\":\"3\",\"label\":\"Max\r\nItems\",\"description\":\"The maximum number of items to display in the\r\ncarousel\",\"possibleValues\":null,\"__typename\":\"FormField\"}],\"layout\":{\"rows\":\r\n[{\"id\":\"widgetChooserGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"widgetChooser\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":\r\n{\"id\":\"titleGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":[{\"id\":\"title\",\"className\":null,\"__typename\":\"FormFieldRef\"},\r\n{\"id\":\"useTitle\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":null,\"to\r\n{\"id\":\"useBackground\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"useBackground\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\"\r\n{\"id\":\"widgetVisibility\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"widgetVisibility\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\"\r\n{\"id\":\"moreOptionsGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"moreOptions\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":nu\r\n{\"id\":\"componentPropsGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"cMax_items\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":nu\r\nen-us-1775108434074\":{\"__typename\":\"CachedAsset\",\"id\":\"component:custom.widget.UnregisteredCTAWidget-en-us-1775108434074\",\"value\":{\"component\":{\"id\":\"custom.widget.UnregisteredCTAWidget\",\"template\":\r\n{\"id\":\"UnregisteredCTAWidget\",\"markupLanguage\":\"REACT\",\"style\":null,\"texts\":{\"register.communityHub\":\"Welcome to\r\nthe {name} Community Hub. Sign in to like, participate, or start a conversation.\",\"register.category\":\"Welcome to the\r\n{name} Community Hub. Sign in to like, participate, or start a conversation.\",\"register.discussionBoard\":\"Welcome to the\r\n{name} space. Sign in to like, reply, or start a discussion.\",\"register.blogSpace\":\"Welcome to the {name} space. Sign in to\r\nlike or comment on articles in this space.\",\"register.eventSpace\":\"Welcome to the {name} space. Sign in to RSVP, add\r\nevents to your calendar, and join the conversation.\",\"register.ideaSpace\":\"Welcome to the {name} space. Sign in to vote,\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 20 of 29\n\ncomment, or submit your own feedback.\",\"buttonRegister\":\"Sign in\",\"register.discussionBoardArticle\":\"Have a question or\r\ninsight to share? Sign in to join the discussion.\",\"register.blogSpaceArticle\":\"Enjoying the article? Sign in to share your\r\nthoughts.\",\"register.eventSpaceArticle\":\"Don’t just watch - take part. Sign in to RSVP, ask questions, and join the\r\ndiscussion.\",\"register.ideaSpaceArticle\":\"Sign in to submit ideas, upvote ideas, and join the conversation.\"},\"defaults\":\r\n{\"config\":{\"applicablePages\":\r\n[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"components\":\r\n[{\"id\":\"custom.widget.UnregisteredCTAWidget\",\"form\":null,\"config\":null,\"props\":\r\n[],\"__typename\":\"Component\"}],\"grouping\":\"CUSTOM\",\"__typename\":\"ComponentTemplate\"},\"properties\":{\"config\":\r\n{\"applicablePages\":[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"form\":null,\"__typename\":\"Component\",\"localOverride\":false},\"globalCss\":null,\"form\":null},\"localOverride\":\r\nen-us-1775108434074\":{\"__typename\":\"CachedAsset\",\"id\":\"component:custom.widget.SocialSharing-en-us-1775108434074\",\"value\":{\"component\":{\"id\":\"custom.widget.SocialSharing\",\"template\":\r\n{\"id\":\"SocialSharing\",\"markupLanguage\":\"HANDLEBARS\",\"style\":\".sharePage {\\n display: flex;\\n justify-content:\r\ncenter;\\n background: #d7d7d7;\\n padding: 0px;\\n height: 60px;\\n}\\n.singleSocialIcons {\\n display: flex;\\n gap: 12px;\\n list-style-type: none;\\n padding: 0px;\\n margin: 0;\\n}\\n.containers {\\n display: flex;\\n gap: 30px;\\n}\\n\\n.listIcon {\\n align-content: center;\\n}\\n.headingShare {\\n display: inline;\\n margin-right: 25px;\\n margin-bottom: 0px;\\n font-size: 20px;\\n\r\nfont-weight: 550;\\n align-content: center;\\n}\\n\\n@media (max-width: 990px) {\\n .sharePage {\\n display: flex;\\n justify-content: center;\\n }\\n\\n .containers {\\n display: inline-block;\\n justify-content: center;\\n align-content: center;\\n align-items:\r\ncenter;\\n }\\n .headingShare {\\n display: flex;\\n justify-content: center;\\n }\\n .singleSocialIcons {\\n\r\n}\\n}\\n\",\"texts\":null,\"defaults\":{\"config\":{\"applicablePages\":[],\"description\":\"Adds buttons to share to various social media\r\nwebsites\",\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"components\":\r\n[{\"id\":\"custom.widget.SocialSharing\",\"form\":null,\"config\":null,\"props\":\r\n[],\"__typename\":\"Component\"}],\"grouping\":\"CUSTOM\",\"__typename\":\"ComponentTemplate\"},\"properties\":{\"config\":\r\n{\"applicablePages\":[],\"description\":\"Adds buttons to share to various social media\r\nwebsites\",\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"form\":null,\"__typename\":\"Component\",\"localOverride\":false},\"globalCss\":\r\n{\"css\":\".custom_widget_SocialSharing_sharePage_6x3n8_1 {\\n display: flex;\\n justify-content: center;\\n background:\r\n#d7d7d7;\\n padding: 0;\\n height: 3.75rem;\\n}\\n.custom_widget_SocialSharing_singleSocialIcons_6x3n8_8 {\\n display:\r\nflex;\\n gap: 0.75rem;\\n list-style-type: none;\\n padding: 0;\\n margin:\r\n0;\\n}\\n.custom_widget_SocialSharing_containers_6x3n8_15 {\\n display: flex;\\n gap:\r\n1.875rem;\\n}\\n.custom_widget_SocialSharing_listIcon_6x3n8_20 {\\n align-content:\r\ncenter;\\n}\\n.custom_widget_SocialSharing_headingShare_6x3n8_23 {\\n display: inline;\\n margin-right: 1.5625rem;\\n\r\nmargin-bottom: 0;\\n font-size: 1.25rem;\\n font-weight: 550;\\n align-content: center;\\n}\\n@media (max-width: 990px) {\\n\r\n.custom_widget_SocialSharing_sharePage_6x3n8_1 {\\n display: flex;\\n justify-content: center;\\n }\\n\\n\r\n.custom_widget_SocialSharing_containers_6x3n8_15 {\\n display: inline-block;\\n justify-content: center;\\n align-content:\r\ncenter;\\n align-items: center;\\n }\\n .custom_widget_SocialSharing_headingShare_6x3n8_23 {\\n display: flex;\\n justify-content: center;\\n }\\n .custom_widget_SocialSharing_singleSocialIcons_6x3n8_8 {\\n }\\n}\\n\",\"tokens\":\r\n{\"sharePage\":\"custom_widget_SocialSharing_sharePage_6x3n8_1\",\"singleSocialIcons\":\"custom_widget_SocialSharing_singleSocialIcons_6x3n8_8\",\"co\r\nen-us-1775108434074\":{\"__typename\":\"CachedAsset\",\"id\":\"component:custom.widget.MicrosoftFooter-en-us-1775108434074\",\"value\":{\"component\":{\"id\":\"custom.widget.MicrosoftFooter\",\"template\":\r\n{\"id\":\"MicrosoftFooter\",\"markupLanguage\":\"HANDLEBARS\",\"style\":\".context-uhf {\\r\\n min-width: 280px;\\r\\n font-size:\r\n15px;\\r\\n box-sizing: border-box;\\r\\n -ms-text-size-adjust: 100%;\\r\\n -webkit-text-size-adjust: 100%;\\r\\n \u0026 *,\\r\\n \u0026\r\n*:before,\\r\\n \u0026 *:after {\\r\\n box-sizing: inherit;\\r\\n }\\r\\n a.c-uhff-link {\\r\\n color: #616161;\\r\\n word-break: break-word;\\r\\n\r\ntext-decoration: none;\\r\\n }\\r\\n \u0026a:link,\\r\\n \u0026a:focus,\\r\\n \u0026a:hover,\\r\\n \u0026a:active,\\r\\n \u0026a:visited {\\r\\n text-decoration:\r\nnone;\\r\\n color: inherit;\\r\\n }\\r\\n \u0026 div {\\r\\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\\r\\n }\\r\\n}\\r\\n.c-uhff {\\r\\n background: #f2f2f2;\\r\\n margin: -1.5625;\\r\\n width: auto;\\r\\n height: auto;\\r\\n}\\r\\n.c-uhff-nav {\\r\\n margin: 0 auto;\\r\\n max-width: calc(1600px + 10%);\\r\\n padding: 0 5%;\\r\\n box-sizing: inherit;\\r\\n \u0026:before,\\r\\n\r\n\u0026:after {\\r\\n content: ' ';\\r\\n display: table;\\r\\n clear: left;\\r\\n }\\r\\n @media only screen and (max-width: 1083px) {\\r\\n\r\npadding-left: 12px;\\r\\n }\\r\\n .c-heading-4 {\\r\\n color: #616161;\\r\\n word-break: break-word;\\r\\n font-size: 15px;\\r\\n line-height: 20px;\\r\\n padding: 36px 0 4px;\\r\\n font-weight: 600;\\r\\n }\\r\\n .c-uhff-nav-row {\\r\\n .c-uhff-nav-group {\\r\\n display:\r\nblock;\\r\\n float: left;\\r\\n min-height: 1px;\\r\\n vertical-align: text-top;\\r\\n padding: 0 12px;\\r\\n width: 100%;\\r\\n zoom: 1;\\r\\n\r\n\u0026:first-child {\\r\\n padding-left: 0;\\r\\n @media only screen and (max-width: 1083px) {\\r\\n padding-left: 12px;\\r\\n }\\r\\n }\\r\\n\r\n@media only screen and (min-width: 540px) and (max-width: 1082px) {\\r\\n width: 33.33333%;\\r\\n }\\r\\n @media only\r\nscreen and (min-width: 1083px) {\\r\\n width: 16.6666666667%;\\r\\n }\\r\\n ul.c-list.f-bare {\\r\\n font-size: 11px;\\r\\n line-height:\r\n16px;\\r\\n margin-top: 0;\\r\\n margin-bottom: 0;\\r\\n padding-left: 0;\\r\\n list-style-type: none;\\r\\n li {\\r\\n word-break: break-word;\\r\\n padding: 8px 0;\\r\\n margin: 0;\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n}\\r\\n.c-uhff-base {\\r\\n background: #f2f2f2;\\r\\n margin: 0\r\nauto;\\r\\n max-width: calc(1600px + 10%);\\r\\n padding: 30px 5% 16px;\\r\\n \u0026:before,\\r\\n \u0026:after {\\r\\n content: ' ';\\r\\n\r\ndisplay: table;\\r\\n }\\r\\n \u0026:after {\\r\\n clear: both;\\r\\n }\\r\\n a.c-uhff-ccpa,\\r\\n a.c-uhff-consumer {\\r\\n display: flex;\\r\\n float:\r\nleft;\\r\\n font-size: 11px;\\r\\n line-height: 16px;\\r\\n padding: 4px 24px 0 0;\\r\\n }\\r\\n a.c-uhff-ccpa:hover,\\r\\n a.c-uhff-consumer:hover {\\r\\n text-decoration: underline;\\r\\n }\\r\\n ul.c-list {\\r\\n font-size: 11px;\\r\\n line-height: 16px;\\r\\n float:\r\nright;\\r\\n margin: 3px 0;\\r\\n color: #616161;\\r\\n li {\\r\\n padding: 0 24px 4px 0;\\r\\n display: inline-block;\\r\\n }\\r\\n }\\r\\n .c-list.f-bare {\\r\\n padding-left: 0;\\r\\n list-style-type: none;\\r\\n }\\r\\n @media only screen and (max-width: 1083px) {\\r\\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 21 of 29\n\ndisplay: flex;\\r\\n flex-wrap: wrap;\\r\\n padding: 30px 24px 16px;\\r\\n }\\r\\n}\\r\\n\\r\\n.social-share {\\r\\n position: fixed;\\r\\n top:\r\n60%;\\r\\n transform: translateY(-50%);\\r\\n left: 0;\\r\\n z-index: 1000;\\r\\n}\\r\\n\\r\\n.sharing-options {\\r\\n list-style: none;\\r\\n\r\npadding: 0;\\r\\n margin: 0;\\r\\n display: block;\\r\\n flex-direction: column;\\r\\n background-color: white;\\r\\n width: 50px;\\r\\n\r\nborder-radius: 0px 7px 7px 0px;\\r\\n}\\r\\n.linkedin-icon {\\r\\n border-top-right-radius: 7px;\\r\\n}\\r\\n.linkedin-icon:hover {\\r\\n\r\nborder-radius: 0;\\r\\n}\\r\\n\\r\\n.social-share-email-image:hover {\\r\\n border-radius: 0;\\r\\n}\\r\\n\\r\\n.social-link-footer:hover\r\n.linkedin-icon {\\r\\n border-radius: 0;\\r\\n}\\r\\n.social-link-footer:hover .social-share-email-image {\\r\\n border-radius:\r\n0;\\r\\n}\\r\\n\\r\\n.social-link-footer img {\\r\\n width: 30px;\\r\\n height: auto;\\r\\n transition: filter 0.3s ease;\\r\\n}\\r\\n\\r\\n.social-share-list {\\r\\n width: 50px;\\r\\n}\\r\\n.social-share-rss-image {\\r\\n width: 30px;\\r\\n height: auto;\\r\\n transition: filter 0.3s\r\nease;\\r\\n}\\r\\n.sharing-options li {\\r\\n width: 50px;\\r\\n height: 50px;\\r\\n padding: 8px;\\r\\n box-sizing: border-box;\\r\\n border:\r\n2px solid white;\\r\\n display: inline-block;\\r\\n text-align: center;\\r\\n opacity: 1;\\r\\n visibility: visible;\\r\\n transition: border\r\n0.3s ease; /* Smooth transition effect */\\r\\n border-left: none;\\r\\n border-bottom: none; /* Apply bottom border to only last\r\nitem */\\r\\n}\\r\\n\\r\\n.social-share-list-linkedin {\\r\\n background-color: #0474b4;\\r\\n border-top-right-radius: 5px; /* Rounded\r\ntop right corner of first item*/\\r\\n}\\r\\n.social-share-list-facebook {\\r\\n background-color: #3c5c9c;\\r\\n}\\r\\n.social-share-list-xicon {\\r\\n background-color: #000;\\r\\n}\\r\\n.social-share-list-reddit {\\r\\n background-color: #fc4404;\\r\\n}\\r\\n.social-share-list-bluesky {\\r\\n background-color: #f0f2f5;\\r\\n}\\r\\n.social-share-list-rss {\\r\\n background-color: #ec7b1c;\\r\\n}\\r\\n.social-share-list-mail {\\r\\n background-color: #848484;\\r\\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last\r\nitem*/\\r\\n}\\r\\n.sharing-options li.social-share-list-mail {\\r\\n border-bottom: 2px solid white; /* Add bottom border only to\r\nthe last item */\\r\\n height: 52px; /* Increase last child height to make in align with the hover label */\\r\\n}\\r\\n.x-icon {\\r\\n\r\nfilter: invert(100%);\\r\\n transition: filter 0.3s ease;\\r\\n width: 20px !important;\\r\\n height: auto;\\r\\n padding-top: 5px\r\n!important;\\r\\n}\\r\\n.bluesky-icon {\\r\\n filter: invert(20%) sepia(100%) saturate(3000%) hue-rotate(180deg);\\r\\n transition:\r\nfilter 0.3s ease;\\r\\n padding-top: 5px !important;\\r\\n width: 25px !important;\\r\\n}\\r\\n\\r\\n.share-icon {\\r\\n border: 2px solid\r\ntransparent;\\r\\n display: inline-block;\\r\\n position: relative;\\r\\n}\\r\\n\\r\\n.sharing-options li:hover {\\r\\n border: 2px solid\r\nwhite;\\r\\n border-left: none;\\r\\n border-bottom: none;\\r\\n border-radius: 0px;\\r\\n}\\r\\n.sharing-options li.social-share-list-mail:hover {\\r\\n border-bottom: 2px solid white; /* Add bottom border only to the last item */\\r\\n}\\r\\n\\r\\n.sharing-options\r\nli:hover .label {\\r\\n opacity: 1;\\r\\n visibility: visible;\\r\\n border: 2px solid white;\\r\\n box-sizing: border-box;\\r\\n border-left:\r\nnone;\\r\\n}\\r\\n\\r\\n.label {\\r\\n position: absolute;\\r\\n left: 100%;\\r\\n white-space: nowrap;\\r\\n opacity: 0;\\r\\n visibility:\r\nhidden;\\r\\n transition: all 0.2s ease;\\r\\n color: white;\\r\\n border-radius: 0 10 0 10px;\\r\\n top: 50%;\\r\\n transform:\r\ntranslateY(-50%);\\r\\n height: 52px;\\r\\n display: flex;\\r\\n align-items: center;\\r\\n justify-content: center;\\r\\n padding: 10px\r\n12px 15px 8px;\\r\\n border: 2px solid white;\\r\\n}\\r\\n.linkedin {\\r\\n background-color: #0474b4;\\r\\n border-top-right-radius:\r\n5px; /* Rounded top right corner of first item*/\\r\\n}\\r\\n.facebook {\\r\\n background-color: #3c5c9c;\\r\\n}\\r\\n.twitter {\\r\\n\r\nbackground-color: black;\\r\\n color: white;\\r\\n}\\r\\n.reddit {\\r\\n background-color: #fc4404;\\r\\n}\\r\\n.mail {\\r\\n background-color: #848484;\\r\\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last item*/\\r\\n}\\r\\n.bluesky {\\r\\n\r\nbackground-color: #f0f2f5;\\r\\n color: black;\\r\\n}\\r\\n.rss {\\r\\n background-color: #ec7b1c;\\r\\n}\\r\\n\\r\\n@media (max-width:\r\n991px) {\\r\\n .social-share {\\r\\n display: none;\\r\\n }\\r\\n}\\r\\n\",\"texts\":{\"heading.whatsNew\":\"What's\r\nnew\",\"heading.store\":\"Microsoft\r\nStore\",\"heading.education\":\"Education\",\"heading.business\":\"Business\",\"heading.developer\":\"Developer \u0026\r\nIT\",\"heading.company\":\"Company\",\"link.whatsNew.surfacePro\":\"Surface Pro\",\"aria.whatsNew.surfacePro\":\"Surface Pro\r\nWhat's new\",\"link.whatsNew.surfaceLaptop\":\"Surface Laptop\",\"aria.whatsNew.surfaceLaptop\":\"Surface Laptop What's\r\nnew\",\"link.whatsNew.surfaceLaptopStudio2\":\"Surface Laptop Studio 2\",\"aria.whatsNew.surfaceLaptopStudio2\":\"Surface\r\nLaptop Studio 2 What's new\",\"link.whatsNew.copilotOrganizations\":\"Copilot for\r\norganizations\",\"aria.whatsNew.copilotOrganizations\":\"Copilot for organizations What's\r\nnew\",\"link.whatsNew.copilotPersonal\":\"Copilot for personal use\",\"aria.whatsNew.copilotPersonal\":\"Copilot for personal\r\nuse What's new\",\"link.whatsNew.aiInWindows\":\"AI in Windows\",\"aria.whatsNew.aiInWindows\":\"AI in Windows What's\r\nnew\",\"link.whatsNew.exploreProducts\":\"Explore Microsoft products\",\"aria.whatsNew.exploreProducts\":\"Explore Microsoft\r\nproducts What's new\",\"link.whatsNew.windows11Apps\":\"Windows 11 apps\",\"aria.whatsNew.windows11Apps\":\"Windows\r\n11 apps What's new\",\"link.store.accountProfile\":\"Account profile\",\"aria.store.accountProfile\":\"Account profile Microsoft\r\nStore\",\"link.store.downloadCenter\":\"Download Center\",\"aria.store.downloadCenter\":\"Download Center Microsoft\r\nStore\",\"link.store.support\":\"Microsoft Store support\",\"aria.store.support\":\"Microsoft Store support Microsoft\r\nStore\",\"link.store.returns\":\"Returns\",\"aria.store.returns\":\"Returns Microsoft Store\",\"link.store.orderTracking\":\"Order\r\ntracking\",\"aria.store.orderTracking\":\"Order tracking Microsoft Store\",\"link.store.certifiedRefurbished\":\"Certified\r\nRefurbished\",\"aria.store.certifiedRefurbished\":\"Certified Refurbished Microsoft Store\",\"link.store.promise\":\"Microsoft\r\nStore Promise\",\"aria.store.promise\":\"Microsoft Store Promise Microsoft Store\",\"link.store.flexiblePayments\":\"Flexible\r\nPayments\",\"aria.store.flexiblePayments\":\"Flexible Payments Microsoft\r\nStore\",\"link.education.microsoftInEducation\":\"Microsoft in education\",\"aria.education.microsoftInEducation\":\"Microsoft in\r\neducation Education\",\"link.education.devices\":\"Devices for education\",\"aria.education.devices\":\"Devices for education\r\nEducation\",\"link.education.teams\":\"Microsoft Teams for Education\",\"aria.education.teams\":\"Microsoft Teams for Education\r\nEducation\",\"link.education.m365\":\"Microsoft 365 Education\",\"aria.education.m365\":\"Microsoft 365 Education\r\nEducation\",\"link.education.howToBuy\":\"How to buy for your school\",\"aria.education.howToBuy\":\"How to buy for your\r\nschool Education\",\"link.education.training\":\"Educator training and development\",\"aria.education.training\":\"Educator\r\ntraining and development Education\",\"link.education.deals\":\"Deals for students and parents\",\"aria.education.deals\":\"Deals\r\nfor students and parents Education\",\"link.education.ai\":\"AI for education\",\"aria.education.ai\":\"AI for education\r\nEducation\",\"link.business.microsoftAi\":\"Microsoft AI\",\"aria.business.microsoftAi\":\"Microsoft AI\r\nBusiness\",\"link.business.security\":\"Microsoft Security\",\"aria.business.security\":\"Microsoft Security\r\nBusiness\",\"link.business.dynamics\":\"Dynamics 365\",\"aria.business.dynamics\":\"Dynamics 365\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 22 of 29\n\nBusiness\",\"link.business.m365\":\"Microsoft 365\",\"aria.business.m365\":\"Microsoft 365\r\nBusiness\",\"link.business.powerPlatform\":\"Microsoft Power Platform\",\"aria.business.powerPlatform\":\"Microsoft Power\r\nPlatform Business\",\"link.business.teams\":\"Microsoft Teams\",\"aria.business.teams\":\"Microsoft Teams\r\nBusiness\",\"link.business.m365Copilot\":\"Microsoft 365 Copilot\",\"aria.business.m365Copilot\":\"Microsoft 365 Copilot\r\nBusiness\",\"link.business.smallBusiness\":\"Small Business\",\"aria.business.smallBusiness\":\"Small Business\r\nBusiness\",\"link.developer.azure\":\"Azure\",\"aria.developer.azure\":\"Azure Developer \u0026\r\nIT\",\"link.developer.developerCenter\":\"Microsoft Developer\",\"aria.developer.developerCenter\":\"Microsoft Developer\r\nDeveloper \u0026 IT\",\"link.developer.learn\":\"Microsoft Learn\",\"aria.developer.learn\":\"Microsoft Learn Developer \u0026\r\nIT\",\"link.developer.aiMarketplace\":\"Support for AI marketplace apps\",\"aria.developer.aiMarketplace\":\"Support for AI\r\nmarketplace apps Developer \u0026 IT\",\"link.developer.techCommunity\":\"Microsoft Tech\r\nCommunity\",\"aria.developer.techCommunity\":\"Microsoft Tech Community Developer \u0026\r\nIT\",\"link.developer.marketplace\":\"Microsoft Marketplace\",\"aria.developer.marketplace\":\"Microsoft Marketplace Developer\r\n\u0026 IT\",\"link.developer.marketplaceRewards\":\"Marketplace Rewards\",\"aria.developer.marketplaceRewards\":\"Marketplace\r\nRewards Developer \u0026 IT\",\"link.developer.visualStudio\":\"Visual Studio\",\"aria.developer.visualStudio\":\"Visual Studio\r\nDeveloper \u0026 IT\",\"link.company.careers\":\"Careers\",\"aria.company.careers\":\"Careers\r\nCompany\",\"link.company.about\":\"About Microsoft\",\"aria.company.about\":\"About Microsoft\r\nCompany\",\"link.company.news\":\"Company news\",\"aria.company.news\":\"Company news\r\nCompany\",\"link.company.privacy\":\"Privacy at Microsoft\",\"aria.company.privacy\":\"Privacy at Microsoft\r\nCompany\",\"link.company.investors\":\"Investors\",\"aria.company.investors\":\"Investors\r\nCompany\",\"link.company.diversity\":\"Diversity and inclusion\",\"aria.company.diversity\":\"Diversity and inclusion\r\nCompany\",\"link.company.accessibility\":\"Accessibility\",\"aria.company.accessibility\":\"Accessibility\r\nCompany\",\"link.company.sustainability\":\"Sustainability\",\"aria.company.sustainability\":\"Sustainability\r\nCompany\",\"ccpa.label\":\"Your Privacy Choices\",\"consumerhealthprivacy.label\":\"Consumer Health\r\nPrivacy\",\"corp.sitemap\":\"Sitemap\",\"corp.contact\":\"Contact\r\nMicrosoft\",\"corp.privacy\":\"Privacy\",\"corp.manageCookies\":\"Manage cookies\",\"corp.terms\":\"Terms of\r\nuse\",\"corp.trademarks\":\"Trademarks\",\"corp.safetyEco\":\"Safety \u0026\r\neco\",\"corp.recycling\":\"Recycling\",\"corp.aboutAds\":\"About our\r\nads\",\"corp.microsoft\":\"Microsoft\",\"social.linkedin.alt\":\"Share to LinkedIn\",\"social.linkedin.label\":\"Share on\r\nLinkedIn\",\"social.facebook.alt\":\"Share to Facebook\",\"social.facebook.label\":\"Share on Facebook\",\"social.x.alt\":\"Share to\r\nX\",\"social.x.label\":\"Share on X\",\"social.reddit.alt\":\"Share to Reddit\",\"social.reddit.label\":\"Share on\r\nReddit\",\"social.bluesky.alt\":\"Share to Blue Sky\",\"social.bluesky.label\":\"Share on Bluesky\",\"social.rss.alt\":\"Subscribe to\r\nRSS\",\"social.rss.label\":\"Share on RSS\",\"social.email.alt\":\"Share to Email\",\"social.email.label\":\"Share on\r\nEmail\"},\"defaults\":{\"config\":{\"applicablePages\":[],\"description\":\"The Microsoft\r\nFooter\",\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"components\":\r\n[{\"id\":\"custom.widget.MicrosoftFooter\",\"form\":null,\"config\":null,\"props\":\r\n[],\"__typename\":\"Component\"}],\"grouping\":\"CUSTOM\",\"__typename\":\"ComponentTemplate\"},\"properties\":{\"config\":\r\n{\"applicablePages\":[],\"description\":\"The Microsoft\r\nFooter\",\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"form\":null,\"__typename\":\"Component\",\"localOverride\":false},\"globalCss\":\r\n{\"css\":\".custom_widget_MicrosoftFooter_context-uhf_qp4x5_1 {\\r\\n min-width: 17.5rem;\\r\\n font-size: 0.9375rem;\\r\\n\r\nbox-sizing: border-box;\\r\\n -ms-text-size-adjust: 100%;\\r\\n -webkit-text-size-adjust: 100%;\\r\\n \u0026 *,\\r\\n \u0026 *:before,\\r\\n \u0026\r\n*:after {\\r\\n box-sizing: inherit;\\r\\n }\\r\\n a.custom_widget_MicrosoftFooter_c-uhff-link_qp4x5_23 {\\r\\n color: #616161;\\r\\n\r\nword-break: break-word;\\r\\n text-decoration: none;\\r\\n }\\r\\n \u0026a:link,\\r\\n \u0026a:focus,\\r\\n \u0026a:hover,\\r\\n \u0026a:active,\\r\\n\r\n\u0026a:visited {\\r\\n text-decoration: none;\\r\\n color: inherit;\\r\\n }\\r\\n \u0026 div {\\r\\n font-family: 'Segoe UI', SegoeUI, 'Helvetica\r\nNeue', Helvetica, Arial, sans-serif;\\r\\n }\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_c-uhff_qp4x5_23 {\\r\\n background:\r\n#f2f2f2;\\r\\n margin: -1.5625;\\r\\n width: auto;\\r\\n height: auto;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_c-uhff-nav_qp4x5_69 {\\r\\n margin: 0 auto;\\r\\n max-width: calc(100rem + 10%);\\r\\n padding: 0 5%;\\r\\n box-sizing: inherit;\\r\\n\r\n\u0026:before,\\r\\n \u0026:after {\\r\\n content: ' ';\\r\\n display: table;\\r\\n clear: left;\\r\\n }\\r\\n @media only screen and (max-width:\r\n1083px) {\\r\\n padding-left: 0.75rem;\\r\\n }\\r\\n .custom_widget_MicrosoftFooter_c-heading-4_qp4x5_97 {\\r\\n color:\r\n#616161;\\r\\n word-break: break-word;\\r\\n font-size: 0.9375rem;\\r\\n line-height: 1.25rem;\\r\\n padding: 2.25rem 0\r\n0.25rem;\\r\\n font-weight: 600;\\r\\n }\\r\\n .custom_widget_MicrosoftFooter_c-uhff-nav-row_qp4x5_113 {\\r\\n\r\n.custom_widget_MicrosoftFooter_c-uhff-nav-group_qp4x5_115 {\\r\\n display: block;\\r\\n float: left;\\r\\n min-height:\r\n0.0625rem;\\r\\n vertical-align: text-top;\\r\\n padding: 0 0.75rem;\\r\\n width: 100%;\\r\\n zoom: 1;\\r\\n \u0026:first-child {\\r\\n padding-left: 0;\\r\\n @media only screen and (max-width: 1083px) {\\r\\n padding-left: 0.75rem;\\r\\n }\\r\\n }\\r\\n @media only screen\r\nand (min-width: 540px) and (max-width: 1082px) {\\r\\n width: 33.33333%;\\r\\n }\\r\\n @media only screen and (min-width:\r\n1083px) {\\r\\n width: 16.6666666667%;\\r\\n }\\r\\n ul.custom_widget_MicrosoftFooter_c-list_qp4x5_155.custom_widget_MicrosoftFooter_f-bare_qp4x5_155 {\\r\\n font-size: 0.6875rem;\\r\\n line-height: 1rem;\\r\\n\r\nmargin-top: 0;\\r\\n margin-bottom: 0;\\r\\n padding-left: 0;\\r\\n list-style-type: none;\\r\\n li {\\r\\n word-break: break-word;\\r\\n\r\npadding: 0.5rem 0;\\r\\n margin: 0;\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_c-uhff-base_qp4x5_187\r\n{\\r\\n background: #f2f2f2;\\r\\n margin: 0 auto;\\r\\n max-width: calc(100rem + 10%);\\r\\n padding: 1.875rem 5% 1rem;\\r\\n\r\n\u0026:before,\\r\\n \u0026:after {\\r\\n content: ' ';\\r\\n display: table;\\r\\n }\\r\\n \u0026:after {\\r\\n clear: both;\\r\\n }\\r\\n\r\na.custom_widget_MicrosoftFooter_c-uhff-ccpa_qp4x5_213,\\r\\n a.custom_widget_MicrosoftFooter_c-uhff-consumer_qp4x5_215 {\\r\\n display: flex;\\r\\n float: left;\\r\\n font-size: 0.6875rem;\\r\\n line-height: 1rem;\\r\\n padding: 0.25rem\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 23 of 29\n\n1.5rem 0 0;\\r\\n }\\r\\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_qp4x5_213:hover,\\r\\n\r\na.custom_widget_MicrosoftFooter_c-uhff-consumer_qp4x5_215:hover {\\r\\n text-decoration: underline;\\r\\n }\\r\\n\r\nul.custom_widget_MicrosoftFooter_c-list_qp4x5_155 {\\r\\n font-size: 0.6875rem;\\r\\n line-height: 1rem;\\r\\n float: right;\\r\\n\r\nmargin: 0.1875rem 0;\\r\\n color: #616161;\\r\\n li {\\r\\n padding: 0 1.5rem 0.25rem 0;\\r\\n display: inline-block;\\r\\n }\\r\\n }\\r\\n\r\n.custom_widget_MicrosoftFooter_c-list_qp4x5_155.custom_widget_MicrosoftFooter_f-bare_qp4x5_155 {\\r\\n padding-left:\r\n0;\\r\\n list-style-type: none;\\r\\n }\\r\\n @media only screen and (max-width: 1083px) {\\r\\n display: flex;\\r\\n flex-wrap:\r\nwrap;\\r\\n padding: 1.875rem 1.5rem 1rem;\\r\\n }\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share_qp4x5_281 {\\r\\n\r\nposition: fixed;\\r\\n top: 60%;\\r\\n transform: translateY(-50%);\\r\\n left: 0;\\r\\n z-index:\r\n1000;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 {\\r\\n list-style: none;\\r\\n padding: 0;\\r\\n\r\nmargin: 0;\\r\\n display: block;\\r\\n flex-direction: column;\\r\\n background-color: white;\\r\\n width: 3.125rem;\\r\\n border-radius: 0 0.4375rem 0.4375rem 0;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317 {\\r\\n border-top-right-radius: 7px;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317:hover {\\r\\n border-radius:\r\n0;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-email-image_qp4x5_331:hover {\\r\\n border-radius:\r\n0;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339:hover\r\n.custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317 {\\r\\n border-radius:\r\n0;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339:hover .custom_widget_MicrosoftFooter_social-share-email-image_qp4x5_331 {\\r\\n border-radius: 0;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339 img {\\r\\n width: 1.875rem;\\r\\n height: auto;\\r\\n transition: filter 0.3s\r\nease;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list_qp4x5_365 {\\r\\n width:\r\n3.125rem;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-rss-image_qp4x5_371 {\\r\\n width: 1.875rem;\\r\\n height:\r\nauto;\\r\\n transition: filter 0.3s ease;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li {\\r\\n width:\r\n3.125rem;\\r\\n height: 3.125rem;\\r\\n padding: 0.5rem;\\r\\n box-sizing: border-box;\\r\\n border: 2px solid white;\\r\\n display:\r\ninline-block;\\r\\n text-align: center;\\r\\n opacity: 1;\\r\\n visibility: visible;\\r\\n transition: border 0.3s ease; /* Smooth transition\r\neffect */\\r\\n border-left: none;\\r\\n border-bottom: none; /* Apply bottom border to only last item\r\n*/\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list-linkedin_qp4x5_411 {\\r\\n background-color: #0474b4;\\r\\n\r\nborder-top-right-radius: 5px; /* Rounded top right corner of first item*/\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list-facebook_qp4x5_419 {\\r\\n background-color: #3c5c9c;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list-xicon_qp4x5_425 {\\r\\n background-color: #000;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list-reddit_qp4x5_431 {\\r\\n background-color: #fc4404;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list-bluesky_qp4x5_437 {\\r\\n background-color: #f0f2f5;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list-rss_qp4x5_443 {\\r\\n background-color: #ec7b1c;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449 {\\r\\n background-color: #848484;\\r\\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of\r\nlast item*/\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li.custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449 {\\r\\n border-bottom: 2px solid white; /* Add bottom border only to the last item */\\r\\n height:\r\n3.25rem; /* Increase last child height to make in align with the hover label */\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_x-icon_qp4x5_465 {\\r\\n filter: invert(100%);\\r\\n transition: filter 0.3s ease;\\r\\n width: 1.25rem !important;\\r\\n height: auto;\\r\\n\r\npadding-top: 0.3125rem !important;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_bluesky-icon_qp4x5_479 {\\r\\n filter:\r\ninvert(20%) sepia(100%) saturate(3000%) hue-rotate(180deg);\\r\\n transition: filter 0.3s ease;\\r\\n padding-top: 0.3125rem\r\n!important;\\r\\n width: 1.5625rem !important;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_share-icon_qp4x5_493 {\\r\\n border:\r\n2px solid transparent;\\r\\n display: inline-block;\\r\\n position: relative;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li:hover {\\r\\n border: 2px solid white;\\r\\n border-left: none;\\r\\n border-bottom: none;\\r\\n border-radius:\r\n0;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li.custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449:hover {\\r\\n border-bottom: 2px solid white; /* Add bottom border only to the last item\r\n*/\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li:hover\r\n.custom_widget_MicrosoftFooter_label_qp4x5_525 {\\r\\n opacity: 1;\\r\\n visibility: visible;\\r\\n border: 2px solid white;\\r\\n\r\nbox-sizing: border-box;\\r\\n border-left: none;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_label_qp4x5_525 {\\r\\n position:\r\nabsolute;\\r\\n left: 100%;\\r\\n white-space: nowrap;\\r\\n opacity: 0;\\r\\n visibility: hidden;\\r\\n transition: all 0.2s ease;\\r\\n color:\r\nwhite;\\r\\n border-radius: 0 10 0 0.625rem;\\r\\n top: 50%;\\r\\n transform: translateY(-50%);\\r\\n height: 3.25rem;\\r\\n display:\r\nflex;\\r\\n align-items: center;\\r\\n justify-content: center;\\r\\n padding: 0.625rem 0.75rem 0.9375rem 0.5rem;\\r\\n border: 2px\r\nsolid white;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_linkedin_qp4x5_317 {\\r\\n background-color: #0474b4;\\r\\n border-top-right-radius: 5px; /* Rounded top right corner of first\r\nitem*/\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_facebook_qp4x5_585 {\\r\\n background-color:\r\n#3c5c9c;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_twitter_qp4x5_591 {\\r\\n background-color: black;\\r\\n color:\r\nwhite;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_reddit_qp4x5_599 {\\r\\n background-color:\r\n#fc4404;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_mail_qp4x5_605 {\\r\\n background-color: #848484;\\r\\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last\r\nitem*/\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_bluesky_qp4x5_479 {\\r\\n background-color: #f0f2f5;\\r\\n color:\r\nblack;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_rss_qp4x5_621 {\\r\\n background-color: #ec7b1c;\\r\\n}\\r\\n@media (max-width: 991px) {\\r\\n .custom_widget_MicrosoftFooter_social-share_qp4x5_281 {\\r\\n display: none;\\r\\n }\\r\\n}\\r\\n\",\"tokens\":\r\n{\"context-uhf\":\"custom_widget_MicrosoftFooter_context-uhf_qp4x5_1\",\"c-uhff-link\":\"custom_widget_MicrosoftFooter_c-uhff-link_qp4x5_23\",\"c-uhff\":\"custom_widget_MicrosoftFooter_c-uhff_qp4x5_23\",\"c-uhff-nav\":\"custom_widget_MicrosoftFooter_c-uhff-nav_qp4x5_69\",\"c-heading-4\":\"custom_widget_MicrosoftFooter_c-heading-4_qp4x5_97\",\"c-uhff-nav-row\":\"custom_widget_MicrosoftFooter_c-uhff-nav-row_qp4x5_113\",\"c-uhff-nav-group\":\"custom_widget_MicrosoftFooter_c-uhff-nav-group_qp4x5_115\",\"c-list\":\"custom_widget_MicrosoftFooter_c-https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 24 of 29\n\nlist_qp4x5_155\",\"f-bare\":\"custom_widget_MicrosoftFooter_f-bare_qp4x5_155\",\"c-uhff-base\":\"custom_widget_MicrosoftFooter_c-uhff-base_qp4x5_187\",\"c-uhff-ccpa\":\"custom_widget_MicrosoftFooter_c-uhff-ccpa_qp4x5_213\",\"c-uhff-consumer\":\"custom_widget_MicrosoftFooter_c-uhff-consumer_qp4x5_215\",\"social-share\":\"custom_widget_MicrosoftFooter_social-share_qp4x5_281\",\"sharing-options\":\"custom_widget_MicrosoftFooter_sharing-options_qp4x5_297\",\"linkedin-icon\":\"custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317\",\"social-share-email-image\":\"custom_widget_MicrosoftFooter_social-share-email-image_qp4x5_331\",\"social-link-footer\":\"custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339\",\"social-share-list\":\"custom_widget_MicrosoftFooter_social-share-list_qp4x5_365\",\"social-share-rss-image\":\"custom_widget_MicrosoftFooter_social-share-rss-image_qp4x5_371\",\"social-share-list-linkedin\":\"custom_widget_MicrosoftFooter_social-share-list-linkedin_qp4x5_411\",\"social-share-list-facebook\":\"custom_widget_MicrosoftFooter_social-share-list-facebook_qp4x5_419\",\"social-share-list-xicon\":\"custom_widget_MicrosoftFooter_social-share-list-xicon_qp4x5_425\",\"social-share-list-reddit\":\"custom_widget_MicrosoftFooter_social-share-list-reddit_qp4x5_431\",\"social-share-list-bluesky\":\"custom_widget_MicrosoftFooter_social-share-list-bluesky_qp4x5_437\",\"social-share-list-rss\":\"custom_widget_MicrosoftFooter_social-share-list-rss_qp4x5_443\",\"social-share-list-mail\":\"custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449\",\"x-icon\":\"custom_widget_MicrosoftFooter_x-icon_qp4x5_465\",\"bluesky-icon\":\"custom_widget_MicrosoftFooter_bluesky-icon_qp4x5_479\",\"share-icon\":\"custom_widget_MicrosoftFooter_share-icon_qp4x5_493\",\"label\":\"custom_widget_MicrosoftFooter_label_qp4x5_525\",\"linkedin\":\"custom_widget_MicrosoftFooter_linkedin_qp4x5_317\",\"faceb\r\ncomponents/community/Breadcrumb-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/community/Breadcrumb-1775111751244\",\"value\":{\"navLabel\":\"Breadcrumbs\",\"dropdown\":\"Additional parent\r\npage navigation\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageBanner-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageBanner-1775111751244\",\"value\":{\"messageMarkedAsSpam\":\"This post has been marked as\r\nspam\",\"messageMarkedAsSpam@board:TKB\":\"This article has been marked as\r\nspam\",\"messageMarkedAsSpam@board:BLOG\":\"This post has been marked as\r\nspam\",\"messageMarkedAsSpam@board:FORUM\":\"This discussion has been marked as\r\nspam\",\"messageMarkedAsSpam@board:OCCASION\":\"This event has been marked as\r\nspam\",\"messageMarkedAsSpam@board:IDEA\":\"This idea has been marked as spam\",\"manageSpam\":\"Manage\r\nSpam\",\"messageMarkedAsAbuse\":\"This post has been marked as abuse\",\"messageMarkedAsAbuse@board:TKB\":\"This\r\narticle has been marked as abuse\",\"messageMarkedAsAbuse@board:BLOG\":\"This post has been marked as\r\nabuse\",\"messageMarkedAsAbuse@board:FORUM\":\"This discussion has been marked as\r\nabuse\",\"messageMarkedAsAbuse@board:OCCASION\":\"This event has been marked as\r\nabuse\",\"messageMarkedAsAbuse@board:IDEA\":\"This idea has been marked as\r\nabuse\",\"preModCommentAuthorText\":\"This comment will be published as soon as it is\r\napproved\",\"preModCommentModeratorText\":\"This comment is awaiting moderation\",\"messageMarkedAsOther\":\"This post\r\nhas been rejected due to other reasons\",\"messageMarkedAsOther@board:TKB\":\"This article has been rejected due to other\r\nreasons\",\"messageMarkedAsOther@board:BLOG\":\"This post has been rejected due to other\r\nreasons\",\"messageMarkedAsOther@board:FORUM\":\"This discussion has been rejected due to other\r\nreasons\",\"messageMarkedAsOther@board:OCCASION\":\"This event has been rejected due to other\r\nreasons\",\"messageMarkedAsOther@board:IDEA\":\"This idea has been rejected due to other\r\nreasons\",\"messageArchived\":\"This post was archived on {date}\",\"relatedUrl\":\"View Related\r\nContent\",\"relatedContentText\":\"Showing related content\",\"archivedContentLink\":\"View Archived\r\nContent\"},\"localOverride\":false},\"Category:category:Exchange\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Exchange\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:Outlook\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Outlook\",\"categoryPolicies\":{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:Community-Info-Center\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Community-Info-Center\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:EducationSector\":\r\n{\"__typename\":\"Category\",\"id\":\"category:EducationSector\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:DrivingAdoption\":\r\n{\"__typename\":\"Category\",\"id\":\"category:DrivingAdoption\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:Azure\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Azure\",\"categoryPolicies\":{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:Windows-Server\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Windows-Server\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:MicrosoftTeams\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 25 of 29\n\n{\"__typename\":\"Category\",\"id\":\"category:MicrosoftTeams\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:PublicSector\":\r\n{\"__typename\":\"Category\",\"id\":\"category:PublicSector\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:microsoft365\":\r\n{\"__typename\":\"Category\",\"id\":\"category:microsoft365\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:IoT\":\r\n{\"__typename\":\"Category\",\"id\":\"category:IoT\",\"categoryPolicies\":{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:HealthcareAndLifeSciences\":\r\n{\"__typename\":\"Category\",\"id\":\"category:HealthcareAndLifeSciences\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:ITOpsTalk\":\r\n{\"__typename\":\"Category\",\"id\":\"category:ITOpsTalk\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:MicrosoftMechanics\":\r\n{\"__typename\":\"Category\",\"id\":\"category:MicrosoftMechanics\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:MicrosoftforNonprofits\":\r\n{\"__typename\":\"Category\",\"id\":\"category:MicrosoftforNonprofits\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:PartnerCommunity\":\r\n{\"__typename\":\"Category\",\"id\":\"category:PartnerCommunity\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:Microsoft365Copilot\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Microsoft365Copilot\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:Windows\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Windows\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:Content_Management\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Content_Management\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:CommunityNewsDesk\":\r\n{\"__typename\":\"Category\",\"id\":\"category:CommunityNewsDesk\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:microsoft-learn-for-educators\":\r\n{\"__typename\":\"Category\",\"id\":\"category:microsoft-learn-for-educators\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:mvp\":\r\n{\"__typename\":\"Category\",\"id\":\"category:mvp\",\"categoryPolicies\":{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:microsoftintune\":\r\n{\"__typename\":\"Category\",\"id\":\"category:microsoftintune\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:microsoft-global-community-initiative\":\r\n{\"__typename\":\"Category\",\"id\":\"category:microsoft-global-community-initiative\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:usergroups\":\r\n{\"__typename\":\"Category\",\"id\":\"category:usergroups\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:skills-hub\":\r\n{\"__typename\":\"Category\",\"id\":\"category:skills-hub\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Blog:board:skills-hub-blog\":\r\n{\"__typename\":\"Blog\",\"id\":\"board:skills-hub-blog\",\"blogPolicies\":{\"__typename\":\"BlogPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}},\"boardPolicies\":{\"__typename\":\"BoardPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"CachedAsset:text:en_US-components/community/Navbar-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/community/Navbar-1775111751244\",\"value\":{\"community\":\"Community Home\",\"inbox\":\"Inbox\",\"manageContent\":\"Manage\r\nContent\",\"tos\":\"Terms of Service\",\"forgotPassword\":\"Forgot Password\",\"themeEditor\":\"Theme Editor\",\"edit\":\"Edit\r\nNavigation Bar\",\"skipContent\":\"Skip to content\",\"gxcuf89792\":\"Tech Community\",\"windows-server\":\"Windows\r\nServer\",\"ms-learn-ext-security\":\"Microsoft Security\",\"Common_Enntvz-i-t-ops-talk-link\":\"ITOps Talk\",\"education-sector\":\"Education Sector\",\"Common-external-link-9\":\"Microsoft 365\",\"Common-external-link-8\":\"Dynamics\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 26 of 29\n\n365\",\"Common-external-link-7\":\"Skilling Room Directory\",\"Common-external-link-6\":\"Events\",\"Common-external-link-5\":\"Blogs\",\"Common-external-link-4\":\"View All\",\"Common-gxcuf89792-community\":\"Community\",\"Common-external-link-3\":\"Topics\",\"microsoft365\":\"Microsoft 365\",\"Common_Enntvz-community-news-desk-link\":\"Community News\r\nDesk\",\"Common_Enntvz-azure-link\":\"Azure\",\"Common-community-info-center-link\":\"Lounge\",\"azure\":\"Azure\",\"Common_Enntvz-windows-link\":\"Windows\",\"Common_Enntvz-education-sector-link\":\"Education Sector\",\"Common-windows-server-link\":\"Windows Server\",\"products-link\":\"Products\",\"Common_Enntvz-partner-community-link\":\"Microsoft Partner Community\",\"microsoft-learn-blog\":\"Blog\",\"Common-external-link-2\":\"View All\",\"community-hub-link\":\"Community Hubs\",\"Common-mvp-link\":\"Microsoft MVP Program\",\"community-info-center\":\"Lounge\",\"microsoft-endpoint-manager\":\"Microsoft\r\nIntune\",\"startupsat-microsoft\":\"Startups at Microsoft\",\"ms-learn-ext-azure\":\"Azure\",\"Common_Enntvz-content_management-link\":\"Content Management\",\"ms-learn-ext-github\":\"Github\",\"Common-microsoft365-\r\nlink\":\"Microsoft 365\",\"Common-i-t-ops-talk-link\":\"ITOps Talk\",\"Common_Enntvz-view-all-products-link\":\"View\r\nAll\",\"Common-microsoft-global-community-initiative-link\":\"Microsoft Global Community Initiative (MGCI)\",\"all-events-link\":\"Events\",\"Common_Enntvz-microsoft-learn-for-educators-link\":\"Microsoft Learn for Educators\",\"Common-external-link\":\"Community Hubs\",\"Common-partner-community-link\":\"Microsoft Partner Community\",\"Common-microsoft-learn-for-educators-link\":\"Microsoft Learn for Educators\",\"Common_Enntvz-microsoft-teams-link\":\"Microsoft Teams\",\"driving-adoption\":\"Driving Adoption\",\"microsoft-learn\":\"Microsoft Learn\",\"Common-healthcare-and-life-sciences-link\":\"Healthcare and Life Sciences\",\"planner\":\"Outlook\",\"Common_Enntvz-exchange-link\":\"Exchange\",\"healthcare-and-life-sciences\":\"Healthcare and Life Sciences\",\"Common-external-link-10\":\"View All\",\"Common-driving-adoption-link\":\"Driving Adoption\",\"ms-learn-ext-pp\":\"Power Platform\",\"Common_Enntvz-windows-server-link\":\"Windows\r\nServer\",\"Common-io-t-link\":\"Internet of Things (IoT)\",\"Skills-Hub\":\"Skills Hub\",\"microsoft-teams\":\"Microsoft\r\nTeams\",\"Common-outlook-link\":\"Outlook\",\"Common_Enntvz-public-sector-link\":\"Public Sector\",\"Common-windows-link\":\"Windows\",\"all-blogs-link\":\"Blogs\",\"communities\":\"Products\",\"Common_Enntvz-usergroups-link\":\"User\r\nGroups\",\"Common_Enntvz-microsoft-global-community-initiative-link\":\"Microsoft Global Community Initiative\r\n(MGCI)\",\"Skills-Hub-link\":\"Community\",\"Common_Enntvz-io-t-link\":\"Internet of Things (IoT)\",\"ms-learn-ext-m365\":\"Microsoft 365\",\"Common_Enntvz-microsoft-mechanics-link\":\"Microsoft Mechanics\",\"microsoft-learn-community\":\"Community\",\"partner-community\":\"Microsoft Partner Community\",\"Common-microsoft-mechanics-link\":\"Microsoft Mechanics\",\"Common_Enntvz-healthcare-and-life-sciences-link\":\"Healthcare and Life\r\nSciences\",\"microsoft-mechanics\":\"Microsoft Mechanics\",\"Common-microsoft-security-link\":\"Microsoft\r\nSecurity\",\"Common-education-sector-link\":\"Education Sector\",\"Skills-Hub-Blog\":\"Blog\",\"i-t-ops-talk\":\"ITOps\r\nTalk\",\"microsoft-securityand-compliance\":\"Microsoft Security\",\"Common_Enntvz-microsoftintune-link\":\"Microsoft\r\nIntune\",\"Common-azure-link\":\"Azure\",\"Common-microsoftintune-link\":\"Microsoft Intune\",\"Common_Enntvz-view-all-topics-link\":\"View All\",\"Common-usergroups-link\":\"User Groups\",\"Common-public-sector-link\":\"Public\r\nSector\",\"Common_Enntvz-microsoft-security-link\":\"Microsoft Security\",\"Common_Enntvz-outlook-link\":\"Outlook\",\"Common_Enntvz-mvp-link\":\"Microsoft MVP Program\",\"exchange\":\"Exchange\",\"topics-link\":\"Topics\",\"io-t\":\"Internet of Things (IoT)\",\"Common-microsoft365-copilot-link\":\"Microsoft 365 Copilot\",\"Common-microsoft-teams-link\":\"Microsoft Teams\",\"s-m-b\":\"Nonprofit Community\",\"Common_Enntvz-community-info-center-link\":\"Lounge\",\"Common_Enntvz-microsoft365-copilot-link\":\"Microsoft 365 Copilot\",\"Common_Enntvz-microsoftfor-nonprofits-link\":\"Nonprofit Community\",\"Common_Enntvz-microsoft365-link\":\"Microsoft 365\",\"Common-content_management-link\":\"Content Management\",\"ms-learn-ext-teams\":\"Teams\",\"s-q-l-server\":\"Content\r\nManagement\",\"products-services\":\"Products\",\"Common-community-news-desk-link\":\"Community News Desk\",\"ms-learn-ext-LD\":\"Skilling Room Directory\",\"Common-exchange-link\":\"Exchange\",\"Common-gxcuf89792-link\":\"Tech\r\nCommunity\",\"windows\":\"Windows\",\"public-sector\":\"Public Sector\",\"Common_Enntvz-driving-adoption-link\":\"Driving\r\nAdoption\",\"Common-microsoftfor-nonprofits-link\":\"Nonprofit Community\",\"ms-learn-ext-net\":\".NET\",\"ms-learn-ext-dynamics\":\"Dynamics 365\",\"a-i\":\"AI and Machine Learning\",\"outlook\":\"Microsoft 365\r\nCopilot\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/community/NavbarHamburgerDropdown-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/community/NavbarHamburgerDropdown-1775111751244\",\"value\":{\"hamburgerLabelOpen\":\"Open Side Menu\",\"hamburgerLabelClose\":\"Close Side\r\nMenu\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/community/BrandLogo-1775111751244\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/community/BrandLogo-1775111751244\",\"value\":\r\n{\"logoAlt\":\"Khoros\",\"themeLogoAlt\":\"Brand Logo\",\"linkAriaLabel\":\"Go to community home\r\npage\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/community/NavbarTextLinks-1775111751244\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/community/NavbarTextLinks-1775111751244\",\"value\":\r\n{\"more\":\"More\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/search/SpotlightSearchIcon-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/search/SpotlightSearchIcon-1775111751244\",\"value\":{\"search\":\"Search\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/authentication/AuthenticationLink-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/authentication/AuthenticationLink-1775111751244\",\"value\":{\"title.login\":\"Sign\r\nIn\",\"title.registration\":\"Register\",\"title.forgotPassword\":\"Forgot Password\",\"title.multiAuthLogin\":\"Sign\r\nIn\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/nodes/NodeLink-1775111751244\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/nodes/NodeLink-1775111751244\",\"value\":{\"place\":\"Go back\r\nto {name}\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageView/MessageViewStandard-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageView/MessageViewStandard-1775111751244\",\"value\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 27 of 29\n\n{\"anonymous\":\"Anonymous\",\"author\":\"{messageAuthorLogin}\",\"authorBy\":\"{messageAuthorLogin}\",\"board\":\"\r\n{messageBoardTitle}\",\"replyToUser\":\" to {parentAuthor}\",\"showMoreReplies\":\"Show\r\nMore\",\"replyText\":\"Reply\",\"repliesText\":\"Replies\",\"markedAsSolved\":\"Marked as Solution\",\"messageStatus\":\"Status:\r\n\",\"statusChanged\":\"Status changed: {previousStatus} to {currentStatus}\",\"statusAdded\":\"Status added:\r\n{status}\",\"statusRemoved\":\"Status removed: {status}\",\"labelExpand\":\"expand replies\",\"labelCollapse\":\"collapse\r\nreplies\",\"unhelpfulReason.reason1\":\"Content is outdated\",\"unhelpfulReason.reason2\":\"Article is missing\r\ninformation\",\"unhelpfulReason.reason3\":\"Content is for a different Product\",\"unhelpfulReason.reason4\":\"Doesn't match\r\nwhat I was searching for\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageReplyCallToAction-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageReplyCallToAction-1775111751244\",\"value\":{\"leaveReply\":\"Leave a\r\nreply...\",\"leaveReply@board:BLOG@message:root\":\"Leave a\r\ncomment...\",\"leaveReply@board:TKB@message:root\":\"Leave a\r\ncomment...\",\"leaveReply@board:IDEA@message:root\":\"Leave a\r\ncomment...\",\"leaveReply@board:OCCASION@message:root\":\"Leave a comment...\",\"repliesTurnedOff.FORUM\":\"Replies\r\nare turned off for this topic\",\"repliesTurnedOff.BLOG\":\"Comments are turned off for this\r\ntopic\",\"repliesTurnedOff.TKB\":\"Comments are turned off for this topic\",\"repliesTurnedOff.IDEA\":\"Comments are turned\r\noff for this topic\",\"repliesTurnedOff.OCCASION\":\"Comments are turned off for this topic\",\"infoText\":\"Stop poking\r\nme!\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/community/NavbarDropdownToggle-1775111751244\",\"value\":{\"ariaLabelClosed\":\"Press the down arrow to open the\r\nmenu\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageCoverImage-1775111751244\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageCoverImage-1775111751244\",\"value\":\r\n{\"coverImageTitle\":\"Cover Image\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/nodes/NodeTitle-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/nodes/NodeTitle-1775111751244\",\"value\":{\"nodeTitle\":\"{nodeTitle, select, community\r\n{Community} other {{nodeTitle}}} \"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageTimeToRead-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageTimeToRead-1775111751244\",\"value\":{\"minReadText\":\"{min} MIN\r\nREAD\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageSubject-1775111751244\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageSubject-1775111751244\",\"value\":\r\n{\"noSubject\":\"(no subject)\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/users/UserLink-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/users/UserLink-1775111751244\",\"value\":\r\n{\"authorName\":\"View Profile: {author}\",\"anonymous\":\"Anonymous\",\"ariaLabel.rank\":\"Rank:\r\n{rankName}\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/users/UserRank-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/users/UserRank-1775111751244\",\"value\":{\"rankName\":\"{rankName}\",\"userRank\":\"Author rank\r\n{rankName}\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageTime-1775111751244\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageTime-1775111751244\",\"value\":\r\n{\"postTime\":\"Published: {time}\",\"lastPublishTime\":\"Last Update: {time}\",\"conversation.lastPostingActivityTime\":\"Last\r\nposting activity time: {time}\",\"conversation.lastPostTime\":\"Last post time: {time}\",\"moderationData.rejectTime\":\"Rejected\r\ntime: {time}\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageBody-1775111751244\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageBody-1775111751244\",\"value\":\r\n{\"showMessageBody\":\"Show More\",\"mentionsErrorTitle\":\"{mentionsType, select, board {Board} user {User} message\r\n{Message} other {}} No Longer Available\",\"mentionsErrorMessage\":\"The {mentionsType} you are trying to view has been\r\nremoved from the community.\",\"videoProcessing\":\"Video is being processed. Please try again in a few\r\nminutes.\",\"bannerTitle\":\"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the\r\nprovider's site.\",\"buttonTitle\":\"Accept\",\"urlText\":\"watch\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageCustomFields-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageCustomFields-1775111751244\",\"value\":{\"CustomField.default.label\":\"Value of\r\n{name}\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageRevision-1775111751244\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageRevision-1775111751244\",\"value\":\r\n{\"lastUpdatedDatePublished\":\"{publishCount, plural, one{Published} other{Updated}}\r\n{date}\",\"lastUpdatedDateDraft\":\"Created {date}\",\"version\":\"Version {major}.\r\n{minor}\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/common/QueryHandler-1775111751244\",\"value\":{\"title\":\"Query Handler\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/tags/TagList-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/tags/TagList-1775111751244\",\"value\":{\"showMoreFor\":\"Show more for {title}\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageReplyButton-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageReplyButton-1775111751244\",\"value\":{\"repliesCount\":\"\r\n{count}\",\"title\":\"Reply\",\"title@board:BLOG@message:root\":\"Comment\",\"title@board:TKB@message:root\":\"Comment\",\"title@board:IDEA@message:\r\ncomponents/messages/MessageAuthorBio-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageAuthorBio-1775111751244\",\"value\":{\"sendMessage\":\"Send\r\nMessage\",\"actionMessage\":\"Follow this blog board to get notified when there's new activity\",\"coAuthor\":\"CO-https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 28 of 29\n\nPUBLISHER\",\"contributor\":\"CONTRIBUTOR\",\"userProfile\":\"View Profile\",\"iconlink\":\"Go to {name}\r\n{type}\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1775111751244\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/users/UserAvatar-1775111751244\",\"value\":\r\n{\"altText\":\"{login}'s avatar\",\"altTextGeneric\":\"User's avatar\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/ranks/UserRankLabel-1775111751244\",\"value\":{\"altTitle\":\"Icon for {rankName}\r\nrank\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/users/UserRegistrationDate-1775111751244\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/users/UserRegistrationDate-1775111751244\",\"value\":\r\n{\"noPrefix\":\"{date}\",\"withPrefix\":\"Joined {date}\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/nodes/NodeAvatar-1775111751244\",\"value\":{\"altTitle\":\"Node avatar for\r\n{nodeTitle}\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/nodes/NodeDescription-1775111751244\",\"value\":{\"description\":\"{description}\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1775111751244\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/nodes/NodeIcon-1775111751244\",\"value\":{\"contentType\":\"Content Type {style, select, FORUM\r\n{Forum} BLOG {Blog} TKB {Knowledge Base} IDEA {Ideas} OCCASION {Events} other {}}\r\nicon\"},\"localOverride\":false}}}},\"page\":\"/blogs/BlogMessagePage/BlogMessagePage\",\"query\":\r\n{\"boardId\":\"microsoftsentinelblog\",\"messageSubject\":\"web-shell-threat-hunting-with-azure-sentinel\",\"messageId\":\"2234968\"},\"buildId\":\"VXuOn2D5MfObWEiRanLQ9\",\"runtimeConfig\":\r\n{\"buildInformationVisible\":false,\"logLevelApp\":\"info\",\"logLevelMetrics\":\"info\",\"surveysEnabled\":true,\"openTelemetry\":\r\n{\"clientEnabled\":false,\"configName\":\"o365\",\"serviceVersion\":\"26.1.0\",\"universe\":\"prod\",\"collector\":\"http://localhost:4318\",\"logLevel\":\"error\",\"routeCha\r\n[\"components_community_Navbar_NavbarWidget\",\"components_community_Breadcrumb_BreadcrumbWidget\",\"components_customComponent_Custo\r\n[{\"id\":\"analytics\",\"src\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/pagescripts/1751476272000/analytics.js?\r\npage.id=BlogMessagePage\u0026entity.id=board%3Amicrosoftsentinelblog\u0026entity.id=message%3A2234968\",\"strategy\":\"afterInteractive\"}]}\r\nSource: https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968\r\nPage 29 of 29",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968"
	],
	"report_names": [
		"2234968"
	],
	"threat_actors": [
		{
			"id": "7c969685-459b-4c93-a788-74108eab6f47",
			"created_at": "2023-01-06T13:46:39.189751Z",
			"updated_at": "2026-04-10T02:00:03.241102Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"Red Dev 13",
				"Silk Typhoon",
				"MURKY PANDA",
				"ATK233",
				"G0125",
				"Operation Exchange Marauder"
			],
			"source_name": "MISPGALAXY:HAFNIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2704d770-43b4-4bc4-8a5a-05df87416848",
			"created_at": "2022-10-25T15:50:23.306305Z",
			"updated_at": "2026-04-10T02:00:05.296581Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"HAFNIUM",
				"Operation Exchange Marauder",
				"Silk Typhoon"
			],
			"source_name": "MITRE:HAFNIUM",
			"tools": [
				"Tarrask",
				"ASPXSpy",
				"Impacket",
				"PsExec",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "529c1ae9-4579-4245-86a6-20f4563a695d",
			"created_at": "2022-10-25T16:07:23.702006Z",
			"updated_at": "2026-04-10T02:00:04.71708Z",
			"deleted_at": null,
			"main_name": "Hafnium",
			"aliases": [
				"G0125",
				"Murky Panda",
				"Red Dev 13",
				"Silk Typhoon"
			],
			"source_name": "ETDA:Hafnium",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434198,
	"ts_updated_at": 1775792148,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0343390059f5585b944142bdffadbd70dece631c.pdf",
		"text": "https://archive.orkl.eu/0343390059f5585b944142bdffadbd70dece631c.txt",
		"img": "https://archive.orkl.eu/0343390059f5585b944142bdffadbd70dece631c.jpg"
	}
}