Web Shell Threat Hunting with Azure Sentinel By TomMcElroy Published: 2021-03-25 · Archived: 2026-04-05 22:35:08 UTC "}},"componentScriptGroups({\"componentId\":\"custom.widget.SocialSharing\"})": {"__typename":"ComponentScriptGroups","scriptGroups": {"__typename":"ComponentScriptGroupsDefinition","afterInteractive": {"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad": {"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts": []},"component({\"componentId\":\"custom.widget.MicrosoftFooter\"})": {"__typename":"Component","render({\"context\":{\"component\":{\"entities\":[],\"props\":{}},\"page\":{\"entities\": [\"message:2234968\"],\"name\":\"BlogMessagePage\",\"props\": {},\"url\":\"https://techcommunity.microsoft.com/blog/microsoftsentinelblog/web-shell-threat-hunting-with-azure-sentinel/2234968\"}}})":{"__typename":"ComponentRenderResult","html":" "}},"componentScriptGroups({\"componentId\":\"custom.widget.MicrosoftFooter\"})": {"__typename":"ComponentScriptGroups","scriptGroups": {"__typename":"ComponentScriptGroupsDefinition","afterInteractive": {"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad": {"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts": []},"cachedText({\"lastModified\":\"1775111751244\",\"locale\":\"en-US\",\"namespaces\": [\"components/community/NavbarDropdownToggle\"]})":[{"__ref":"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1775111751244"}],"cachedText({\"lastModified\":\"1775111751244\",\"locale\":\"en-US\",\"namespaces\": [\"components/messages/MessageCoverImage\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageCoverImage-1775111751244"}],"cachedText({\"lastModified\":\"1775111751244\",\"locale\":\"en-US\",\"namespaces\": [\"shared/client/components/nodes/NodeTitle\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeTitle-1775111751244"}],"cachedText({\"lastModified\":\"1775111751244\",\"locale\":\"en-US\",\"namespaces\": [\"components/messages/MessageTimeToRead\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageTimeToRead-1775111751244"}],"cachedText({\"lastModified\":\"1775111751244\",\"locale\":\"en-US\",\"namespaces\": [\"components/messages/MessageSubject\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageSubject-1775111751244"}],"cachedText({\"lastModified\":\"1775111751244\",\"locale\":\"en-US\",\"namespaces\": [\"components/users/UserLink\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserLink-1775111751244"}],"cachedText({\"lastModified\":\"1775111751244\",\"locale\":\"en-US\",\"namespaces\": [\"shared/client/components/users/UserRank\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/users/UserRank-1775111751244"}],"cachedText({\"lastModified\":\"1775111751244\",\"locale\":\"en-US\",\"namespaces\": [\"components/messages/MessageTime\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageTime-1775111751244"}],"cachedText({\"lastModified\":\"1775111751244\",\"locale\":\"en-US\",\"namespaces\": [\"components/messages/MessageBody\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageBody-1775111751244"}],"cachedText({\"lastModified\":\"1775111751244\",\"locale\":\"en-US\",\"namespaces\": [\"components/messages/MessageCustomFields\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageCustomFields-1775111751244"}],"cachedText({\"lastModified\":\"1775111751244\",\"locale\":\"en-US\",\"namespaces\": [\"components/messages/MessageRevision\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageRevision-1775111751244"}],"cachedText({\"lastModified\":\"1775111751244\",\"locale\":\"en-US\",\"namespaces\": [\"shared/client/components/common/QueryHandler\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1775111751244"}],"cachedText({\"lastModified\":\"1775111751244\",\"locale\":\"en-US\",\"namespaces\": [\"components/tags/TagList\"]})":[{"__ref":"CachedAsset:text:en_US-components/tags/TagList-1775111751244"}],"cachedText({\"lastModified\":\"1775111751244\",\"locale\":\"en-US\",\"namespaces\": [\"components/messages/MessageReplyButton\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageReplyButton-1775111751244"}],"cachedText({\"lastModified\":\"1775111751244\",\"locale\":\"en-US\",\"namespaces\": [\"components/messages/MessageAuthorBio\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageAuthorBio-1775111751244"}],"cachedText({\"lastModified\":\"1775111751244\",\"locale\":\"en-US\",\"namespaces\": [\"shared/client/components/users/UserAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 1 of 29 shared/client/components/users/UserAvatar-1775111751244"}],"cachedText({\"lastModified\":\"1775111751244\",\"locale\":\"en-US\",\"namespaces\": [\"shared/client/components/ranks/UserRankLabel\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1775111751244"}],"cachedText({\"lastModified\":\"1775111751244\",\"locale\":\"en-US\",\"namespaces\": [\"components/users/UserRegistrationDate\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserRegistrationDate-1775111751244"}],"cachedText({\"lastModified\":\"1775111751244\",\"locale\":\"en-US\",\"namespaces\": [\"shared/client/components/nodes/NodeAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1775111751244"}],"cachedText({\"lastModified\":\"1775111751244\",\"locale\":\"en-US\",\"namespaces\": [\"shared/client/components/nodes/NodeDescription\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1775111751244"}],"cachedText({\"lastModified\":\"1775111751244\",\"locale\":\"en-US\",\"namespaces\": [\"shared/client/components/nodes/NodeIcon\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1775111751244"}]},"Theme:customTheme1": {"__typename":"Theme","id":"customTheme1"},"User:user:-1": {"__typename":"User","id":"user:-1","entityType":"USER","eventPath":"community:gxcuf89792/user:-1","uid":-1,"login":"Deleted","email":"","avatar": {"__typename":"RegistrationData","status":"ANONYMOUS","registrationTime":null,"confirmEmailStatus":false,"registrationAccessLevel":"VIEW","ss []},"ssoId":null,"profileSettings":{"__typename":"ProfileSettings","dateDisplayStyle": {"__typename":"InheritableStringSettingWithPossibleValues","key":"layout.friendly_dates_enabled","value":"false","localValue":"true","possibleValues" ["true","false"]},"dateDisplayFormat": {"__typename":"InheritableStringSetting","key":"layout.format_pattern_date","value":"MMM dd yyyy","localValue":"MM-dd-yyyy"},"language":{"__typename":"InheritableStringSettingWithPossibleValues","key":"profile.language","value":"en-US","localValue":null,"possibleValues":["en-US","es-ES"]},"repliesSortOrder": {"__typename":"InheritableStringSettingWithPossibleValues","key":"config.user_replies_sort_order","value":"DEFAULT","localValue":"DEFAULT","po ["DEFAULT","LIKES","PUBLISH_TIME","REVERSE_PUBLISH_TIME"]}},"deleted":false},"CachedAsset:pages-1775111737663":{"__typename":"CachedAsset","id":"pages-1775111737663","value": [{"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"BlogViewAllPostsPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId/all-posts/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"CasePortalPage","type":"CASE_PORTAL","urlPath":"/caseportal","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"CreateGroupHubPage","type":"GROUP_HUB","urlPath":"/groups/create","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"CaseViewPage","type":"CASE_DETAILS","urlPath":"/case/:caseId/:caseNumber","__typename":"PageDescriptor"},"__typename":"PageResource {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"InboxPage","type":"COMMUNITY","urlPath":"/inbox","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"HelpFAQPage","type":"COMMUNITY","urlPath":"/help","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"IdeaMessagePage","type":"IDEA_POST","urlPath":"/idea/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename" {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"IdeaViewAllIdeasPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/all-ideas/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"LoginPage","type":"USER","urlPath":"/signin","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"WorkstreamsPage","type":"COMMUNITY","urlPath":"/workstreams","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"BlogPostPage","type":"BLOG","urlPath":"/category/:categoryId/blogs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageRes {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"UserBlogPermissions.Page","type":"COMMUNITY","urlPath":"/c/user-blog-permissions/page","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"ThemeEditorPage","type":"COMMUNITY","urlPath":"/designer/themes","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"TkbViewAllArticlesPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId/all-articles/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1730819800000,"localOverride":null,"page": {"id":"AllEvents","type":"CUSTOM","urlPath":"/Events","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"OccasionEditPage","type":"EVENT","urlPath":"/event/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 2 of 29 {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"OAuthAuthorizationAllowPage","type":"USER","urlPath":"/auth/authorize/allow","__typename":"PageDescriptor"},"__typename":"PageResource {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"PageEditorPage","type":"COMMUNITY","urlPath":"/designer/pages","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"PostPage","type":"COMMUNITY","urlPath":"/category/:categoryId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResou {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"CreateUserGroup.Page","type":"COMMUNITY","urlPath":"/c/create-user-group/page","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"ForumBoardPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId","__typename":"PageDescriptor"},"__typename":"Pag {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"TkbBoardPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"EventPostPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageR {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"UserBadgesPage","type":"COMMUNITY","urlPath":"/users/:login/:userId/badges","__typename":"PageDescriptor"},"__typename":"PageResourc {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"GroupHubMembershipAction","type":"GROUP_HUB","urlPath":"/membership/join/:nodeId/:membershipType","__typename":"PageDescriptor"} {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"MaintenancePage","type":"COMMUNITY","urlPath":"/maintenance","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"IdeaReplyPage","type":"IDEA_REPLY","urlPath":"/idea/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescripto {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"UserSettingsPage","type":"USER","urlPath":"/mysettings/:userSettingsTab","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"GroupHubsPage","type":"GROUP_HUB","urlPath":"/groups","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"ForumPostPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/create","__typename":"PageDescriptor"},"__typename": {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"OccasionRsvpActionPage","type":"OCCASION","urlPath":"/event/:boardId/:messageSubject/:messageId/rsvp/:responseType","__typename":"Pag {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"VerifyUserEmailPage","type":"USER","urlPath":"/verifyemail/:userId/:verifyEmailToken","__typename":"PageDescriptor"},"__typename":"PageR {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"AllOccasionsPage","type":"OCCASION","urlPath":"/category/:categoryId/events/:boardId/all-events/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"EventBoardPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId","__typename":"PageDescriptor"},"__typename":"PageResou {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"TkbReplyPage","type":"TKB_REPLY","urlPath":"/kb/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"} {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"IdeaBoardPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource" {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"CommunityGuideLinesPage","type":"COMMUNITY","urlPath":"/communityguidelines","__typename":"PageDescriptor"},"__typename":"PageR {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"CaseCreatePage","type":"SALESFORCE_CASE_CREATION","urlPath":"/caseportal/create","__typename":"PageDescriptor"},"__typename":"Pa {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"TkbEditPage","type":"TKB","urlPath":"/kb/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageRes {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"ForgotPasswordPage","type":"USER","urlPath":"/forgotpassword","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"IdeaEditPage","type":"IDEA","urlPath":"/idea/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageR {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"TagPage","type":"COMMUNITY","urlPath":"/tag/:tagName","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"BlogBoardPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource" {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"OccasionMessagePage","type":"OCCASION_TOPIC","urlPath":"/event/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"ManageContentPage","type":"COMMUNITY","urlPath":"/managecontent","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"ClosedMembershipNodeNonMembersPage","type":"GROUP_HUB","urlPath":"/closedgroup/:groupHubId","__typename":"PageDescriptor"},"__t {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"CommunityPage","type":"COMMUNITY","urlPath":"/","__typename":"PageDescriptor"},"__typename":"PageResource"}, https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 3 of 29 {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"ForumMessagePage","type":"FORUM_TOPIC","urlPath":"/discussions/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"}," {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"IdeaPostPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResou {"lastUpdatedTime":1730819800000,"localOverride":null,"page": {"id":"CommunityHub.Page","type":"CUSTOM","urlPath":"/Directory","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"BlogMessagePage","type":"BLOG_ARTICLE","urlPath":"/blog/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typen {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"RegistrationPage","type":"USER","urlPath":"/register","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"EditGroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/edit","__typename":"PageDescriptor"},"__typename":"PageResource {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"ForumEditPage","type":"FORUM","urlPath":"/discussions/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typena {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"ResetPasswordPage","type":"USER","urlPath":"/resetpassword/:userId/:resetPasswordToken","__typename":"PageDescriptor"},"__typename":"Pa {"lastUpdatedTime":1730819800000,"localOverride":null,"page": {"id":"AllBlogs.Page","type":"CUSTOM","urlPath":"/blogs","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"TkbMessagePage","type":"TKB_ARTICLE","urlPath":"/kb/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"BlogEditPage","type":"BLOG","urlPath":"/blog/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"Page {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"ManageUsersPage","type":"USER","urlPath":"/users/manage/:tab?/:manageUsersTab?","__typename":"PageDescriptor"},"__typename":"PageRes {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"ForumReplyPage","type":"FORUM_REPLY","urlPath":"/discussions/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageD {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"PrivacyPolicyPage","type":"COMMUNITY","urlPath":"/privacypolicy","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"NotificationPage","type":"COMMUNITY","urlPath":"/notifications","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"UserPage","type":"USER","urlPath":"/users/:login/:userId","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"HealthCheckPage","type":"COMMUNITY","urlPath":"/health","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"OccasionReplyPage","type":"OCCASION_REPLY","urlPath":"/event/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"P {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"ManageMembersPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/manage/:tab?","__typename":"PageDescriptor"},"__typename":"P {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"SearchResultsPage","type":"COMMUNITY","urlPath":"/search","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"BlogReplyPage","type":"BLOG_REPLY","urlPath":"/blog/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor" {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"GroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"TermsOfServicePage","type":"COMMUNITY","urlPath":"/termsofservice","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"CategoryPage","type":"CATEGORY","urlPath":"/category/:categoryId","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"ForumViewAllTopicsPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/all-topics/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"}, {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"TkbPostPage","type":"TKB","urlPath":"/category/:categoryId/kbs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource {"lastUpdatedTime":1775111737663,"localOverride":null,"page": {"id":"GroupHubPostPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/:boardId/create","__typename":"PageDescriptor"},"__typename":"Pa components/context/AppContext/AppContextProvider-0":{"__typename":"CachedAsset","id":"text:en_US-components/context/AppContext/AppContextProvider-0","value":{"noCommunity":"Cannot find community","noUser":"Cannot find current user","noNode":"Cannot find node with id {nodeId}","noMessage":"Cannot find message with id {messageId}","userBanned":"We're sorry, but you have been banned from using this site.","userBannedReason":"You have been banned for the following reason: {reason}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-0": {"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-0","value": {"title":"Loading..."},"localOverride":false},"AssociatedImage: {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/cmstNC05WEo0blc\"}": https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 4 of 29 {"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/cmstNC05WEo0blc","height":512,"width":512," {"__typename":"Rank","id":"rank:4","position":2,"name":"Microsoft","color":"333333","icon":{"__ref":"AssociatedImage: {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/cmstNC05WEo0blc\"}"},"rankStyle":"OUTLINE"},"User:user:686380": {"__typename":"User","id":"user:686380","uid":686380,"login":"TomMcElroy","deleted":false,"avatar": {"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/m_assets/avatars/default/avatar-10.svg?time=0"},"rank": {"__ref":"Rank:rank:4"},"email":"","messagesCount":7,"biography":null,"topicsCount":7,"kudosReceivedCount":29,"kudosGivenCount":1,"kudosWeigh {"__typename":"RegistrationData","status":null,"registrationTime":"2020-06-02T02:44:33.267- 07:00","confirmEmailStatus":null},"followersCount":null,"solutionsCount":0},"Category:category:microsoft-sentinel": {"__typename":"Category","id":"category:microsoft-sentinel","entityType":"CATEGORY","displayId":"microsoft-sentinel","nodeType":"category","depth":4,"title":"Microsoft Sentinel","shortTitle":"Microsoft Sentinel","parent": {"__ref":"Category:category:microsoft-security"}},"Category:category:top": {"__typename":"Category","id":"category:top","entityType":"CATEGORY","displayId":"top","nodeType":"category","depth":0,"title":"Top","shortTitle" {"__typename":"Category","id":"category:communities","entityType":"CATEGORY","displayId":"communities","nodeType":"category","depth":1,"paren {"__ref":"Category:category:top"},"title":"Communities","shortTitle":"Communities"},"Category:category:products-services":{"__typename":"Category","id":"category:products-services","entityType":"CATEGORY","displayId":"products-services","nodeType":"category","depth":2,"parent": {"__ref":"Category:category:communities"},"title":"Products","shortTitle":"Products"},"Category:category:microsoft-security":{"__typename":"Category","id":"category:microsoft-security","entityType":"CATEGORY","displayId":"microsoft-security","nodeType":"category","depth":3,"parent": {"__ref":"Category:category:products-services"},"title":"Microsoft Security","shortTitle":"Microsoft Security","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Blog:board:MicrosoftSentinelBlog": {"__typename":"Blog","id":"board:MicrosoftSentinelBlog","entityType":"BLOG","displayId":"MicrosoftSentinelBlog","nodeType":"board","depth":5,"c {"__typename":"RepliesProperties","sortOrder":"REVERSE_PUBLISH_TIME","repliesFormat":"threaded"},"tagProperties": {"__typename":"TagNodeProperties","tagsEnabled": {"__typename":"PolicyResult","failureReason":null}},"requireTags":false,"tagType":"PRESET_ONLY","description":" Microsoft Sentinel is an industry-leading SIEM & AI-first platform powering agentic defense across the entire security ecosystem. ","title":"Microsoft Sentinel Blog","shortTitle":"Microsoft Sentinel Blog","parent":{"__ref":"Category:category:microsoft-sentinel"},"ancestors":{"__typename":"CoreNodeConnection","edges":[{"__typename":"CoreNodeEdge","node": {"__ref":"Community:community:gxcuf89792"}},{"__typename":"CoreNodeEdge","node": {"__ref":"Category:category:communities"}},{"__typename":"CoreNodeEdge","node": {"__ref":"Category:category:products-services"}},{"__typename":"CoreNodeEdge","node": {"__ref":"Category:category:microsoft-security"}},{"__typename":"CoreNodeEdge","node": {"__ref":"Category:category:microsoft-sentinel"}}]},"userContext": {"__typename":"NodeUserContext","canAddAttachments":false,"canUpdateNode":false,"canPostMessages":false,"isSubscribed":false},"theme": {"__ref":"Theme:customTheme1"},"boardPolicies":{"__typename":"BoardPolicies","canViewSpamDashBoard": {"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.feature.moderation_spam.action.access_spam_quarantine.allowed.accessDenied","key" []}},"canArchiveMessage":{"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.content_archivals.enable_content_archival_settings.accessDenied","key":"error.lithium []}},"canPublishArticleOnCreate":{"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","key":"error.lit []}}},"linkProperties": {"__typename":"LinkProperties","isExternalLinkWarningEnabled":false}},"BlogTopicMessage:message:2234968": {"__typename":"BlogTopicMessage","uid":2234968,"subject":"Web Shell Threat Hunting with Azure Sentinel","id":"message:2234968","entityType":"BLOG_ARTICLE","eventPath":"category:microsoft-sentinel/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:MicrosoftSentinelBlog/message:2234968","revisionNum":6,"repliesCount":0,"author": {"__ref":"User:user:686380"},"depth":0,"hasGivenKudo":false,"board": {"__ref":"Blog:board:MicrosoftSentinelBlog"},"conversation": {"__ref":"Conversation:conversation:2234968"},"messagePolicies": {"__typename":"MessagePolicies","canPublishArticleOnEdit":{"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_edit_workflow_action.accessDenied","key":"error.lithi []}},"canModerateSpamMessage":{"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.feature.moderation_spam.action.moderate_entity.allowed.accessDenied","key":"error.li []}},"canReply":{"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.forums.action.message.reply_to_entity.allow.accessDenied","key":"error.lithium.polici []}},"canAcceptSolution":{"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.accepted_solutions.action_allow.message.mark_as_accepted_solution.accessDenied","k []}},"canRejectSolution":{"__typename":"PolicyResult","failureReason": https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 5 of 29 {"__typename":"FailureReason","message":"error.lithium.policies.accepted_solutions.action_allow.message.unmark_as_accepted_solution.accessDenied" []}},"canTag":{"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.labels.action.labelableentity.set_labels.allow.accessDenied","key":"error.lithium.policie []}},"canEdit":{"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.forums.action_allow.edit_message.accessDenied","key":"error.lithium.policies.forums. []}},"canKudo":{"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.kudos.action.entity.give_kudos.allow.accessDenied","key":"error.lithium.policies.kudo []}}},"contentWorkflow": {"__typename":"ContentWorkflow","state":"PUBLISH","scheduledPublishTime":null,"scheduledTimezone":null,"userContext": {"__typename":"MessageWorkflowContext","canSubmitForReview":null,"canEdit":false,"canRecall":null,"canSubmitForPublication":null,"canReturnTo {"__ref":"ModerationData:moderation_data:2234968"},"teaser":"\n In this blog post we will provide Microsoft Azure Sentinel customers with hunting queries to investigate possible on-prem Exchange Server exploitation and identify additional attacker IOCs (Indicators of compromise) such as IP address and User Agent. ","body":" In this blog post we will provide Microsoft Azure Sentinel customers with hunting queries to investigate possible on-premises Exchange Server exploitation and identify additional attacker IOCs (Indicators of compromise) such as IP address and User Agent. These hunting techniques can also be applied to web shell techniques targeting other web applications.  \n\n The techniques we discuss below have been adapted from the June 2020 blog post: Web shell threat hunting with Azure Sentinel and Microsoft Threat Protection. The previous blog post analysed an attack against a SharePoint server, however, many of the techniques can also be applied to Exchange servers since it also uses IIS to host its web interfaces.  \n\n Recent vulnerabilities in on-premises Microsoft Exchange servers have led to deployment of web shells by threat actors. More information on these vulnerabilities can be found in this MSRC blog, details on threat actor HAFNIUM using these vulnerabilities can be found in this MSTIC blog. MSRC has also provided guidance for responders, a one-click tool for remediation and automatic remediation is delivered through Microsoft Defender for Endpoint.  \n\n Our colleagues in Microsoft Defender Threat Intelligence have authored another blog that provides additional details on use of web shells in attacks taking advantage of the Exchange Server.   \n\n The below diagram provides a high-level overview of an attacker leveraging these vulnerabilities to install a web shell on an Exchange server.  \n\n\n\n\n\n Microsoft 365 Defender (M365D) detects web shell installation and execution activity. Security alerts and incidents generated by M365D can be written to the SecurityAlert table in Azure Sentinel by enabling the appropriate connector. An example of a web shell installation alert in the Azure Sentinel SecurityAlert table can be seen below.  \n\n\n\n These alerts can be enriched in Azure Sentinel with new information from other log sources. When dealing with remote attacks on web application servers, one of the best enrichment sources available are the web logs that have been generated. In the case that the application server is Microsoft Exchange the W3CIISLog can be used to enrich M365D alerts with potential attacker information. Information on collecting IIS logs using the Log Analytics agent can be found here. \n\n\n The query below extracts alerts from M365D where a web script file has been observed as part of the alert. In the below example, alerts containing ASP, ASPX, ASMX and ASAX files will be extracted; these are web script files commonly used by Exchange servers.  \n\n After extracting relevant web shell alerts the query will join the alert information with the W3CIIS log, this allows the query to identify any clients that have accessed the potential shell file, allowing the potential attacker to be identified. A version of the query below is already available as an Azure Sentinel detection and can be found here.  https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 6 of 29 \n\n let timeWindow = 3d; \n//Script file extensions to match on, can be expanded for your environment \nlet scriptExtensions \n\n\n\n\n Exchange servers can be challenging to identify in default log data; however using data available in W3CIISLog, Exchange servers can be identified using predictable URI strings without relying on the hostname or site name.  \n\n The query below extracts the host name from W3CIISLog where a known Exchange URI path is observed, this provides a list of hostnames that are running Exchange. This list of host names can then be used to aggregate information from the alerts in the SecurityAlert table.  \n\n W3CIISLog \n| where csUriStem has_any(\"/owa/auth/\", \"/ecp/healthcheck.htm\", \"/ews/exchange.asmx\") \n| summarize by \n\n\n\n\n The results of the query provide insights into whether additional security alerts beyond web shell alerts have been observed on the host. Following deployment of a web shell it’s highly likely the threat actor will begin to execute further commands on the server, triggering additional alerts. In the above example three Exchange servers were observed with security alerts.   \n\n This same technique can be used to locate other web applications within the network that use common or predictable web paths. \n\n\n W3CIISLog provides detailed logging on actions performed on Microsoft Internet Information Servers (IIS). Even when an Endpoint detection alert is not available, it is possible to explore W3CIISLogs for indicators of compromise. W3CIISLog can also provide additional insights into which hosts in the network are web application servers.  \n\n Note: As part of the original Microsoft HAFNIUM blog post, several hunting and detection queries were created to search for artefacts specific to the use of recent vulnerabilities. \n\n\n If the URI associated with the vulnerable file on the server is known, a query can be constructed to identify log entries that match the URI pattern. W3CIIS logging stores the URI in the column named “csUriStem”, the below query can be used to search for a specific URI in logs and provide information on which clients have accessed them. Local IP addresses have been removed.  \n\n W3CIISLog \n| where TimeGenerated > ago(3d) \n| where not(ipv4_is_private(cIP)) \n//Insert potentially exploited URI here \n\n\n\n\n For HAFNIUM attacks observed by MSTIC an indicator feed has been made available (CSV, JSON). A detection query, that will check for the presence of indicators in multiple data sources, has also been made available by the Azure Sentinel team. The detection can be found here, and IOC’s released as feeds by MSTIC can be found in this directory.  \n\n The recent Exchange vulnerabilities do not need to be targeted at a specific file. Analysis of automated exploitation tools online shows that many randomise the filenames used; this means that no legitimate user will visit these files as they do not exist on the server. As these filenames are randomly generated, static string matching cannot be used.  \n\n The Kusto “matches_regex” function can be used to perform regular expression matching on URI’s. The below example extracts events where the URI matches files associated with the exploitation of CVE-2021-27065 from W3CIISLog.  \n\n https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 7 of 29 W3CIISLog \n| where TimeGenerated > ago(3d) \n| where not(ipv4_is_private(cIP)) \n| where (csUriStem matches regex @\"\\/ \n\n\n\n\n The previous queries can be limited when the files being exploited are commonly accessed. They would produce many candidate attacker IP addresses, making analysis challenging.  \n\n Using the recent Exchange vulnerabilities as an example, Microsoft has seen malicious automated tools released publicly that are being used to exploit the Exchange vulnerabilities. These tools are designed to only visit specific URIs on the server that are required to perform the exploit. This activity differs from normal and legitimate Administrator or User application browsing activity and if observed should be investigated.  \n\n It is possible to craft a query that uses basic statistical analysis to identify instances where a client has visited a disproportionately high number of exploit-related URI’s when compared to other URIs on the site., The query below calculates the total number of suspicious URIs that have been visited by each user, it then calculates the total number of URIs visited by the user. Where the number of exploit related URIs is a significant proportion of URIs visited, a result is returned. By default, the query requires over 90% of the URIs visited by the user to be suspicious.  \n\n let timeRange = 7d;\n//Calculate number of suspicious URI stems visited by user \nW3CIISLog\n| where TimeGenerated > ago( \n\n\n While this query is designed to detect recent Exchange exploit activity, it can be easily adapted to other exploit chains if the pages or URIs used are known.  \n\n\n A previously published hunting query  can be used to detect instances where resources on a server are requested by a single client – a behaviour that should be investigated in the context of web shell exploits. After the actor creates web shell on the server, it’s likely that they will be the only user to access the file to complete their intended objective.   \n\n\n In the previous blog post covering SharePoint exploitation, a Jupyter Notebook Guided Investigation is provided. This notebook can also be used to investigate on-prem Exchange compromises within your environment.  \n\n The notebook extracts alerts from Microsoft 365 Defender related to web shell activity, these can then be enriched with information from W3CIIS to identify the attacker IP and User Agent. The attackers IP and User Agent can be used to hunt through multiple log sources for potential post-compromise activity.  \n\n After the attacker details have been identified, the notebook can be used to locate files that were accessed by the attacker prior to the web shell being installed. The notebook will also locate the first instance that the attacker visited the server.  \n\n Azure-Sentinel-Notebooks/Guided Investigation - MDE Webshell Alerts.ipynb at master · Azure/Azure-Sentinel-Notebooks (github.com)  \n\n Instructions for getting the notebook up and running can be found in the original blog post, under the title “Building out the Investigation using Jupyter Notebooks”.  \n\n You can stay up to date with the latest information at https://aka.ms/exchangevulns.  ","body@stringLength":"43412","rawBody":" In this blog post we will provide Microsoft Azure Sentinel customers with hunting queries to investigate possible on-premises Exchange Server exploitation and identify additional attacker IOCs (Indicators of compromise) such as IP address https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 8 of 29 and User Agent. These hunting techniques can also be applied to web shell techniques targeting other web applications.  \n\n The techniques we discuss below have been adapted from the June 2020 blog post: Web shell threat hunting with Azure Sentinel and Microsoft Threat Protection. The previous blog post analysed an attack against a SharePoint server, however, many of the techniques can also be applied to Exchange servers since it also uses IIS to host its web interfaces.  \n\n Recent vulnerabilities in on-premises Microsoft Exchange servers have led to deployment of web shells by threat actors. More information on these vulnerabilities can be found in this MSRC blog, details on threat actor HAFNIUM using these vulnerabilities can be found in this MSTIC blog. MSRC has also provided guidance for responders, a one-click tool for remediation and automatic remediation is delivered through Microsoft Defender for Endpoint.  \n\n Our colleagues in Microsoft Defender Threat Intelligence have authored another blog that provides additional details on use of web shells in attacks taking advantage of the Exchange Server.   \n\n The below diagram provides a high-level overview of an attacker leveraging these vulnerabilities to install a web shell on an Exchange server.  \n\n\n\n\n Investigating web shell alerts  \n Microsoft 365 Defender (M365D) detects web shell installation and execution activity. Security alerts and incidents generated by M365D can be written to the SecurityAlert table in Azure Sentinel by enabling the appropriate connector. An example of a web shell installation alert in the Azure Sentinel SecurityAlert table can be seen below.  \n\n\n\n These alerts can be enriched in Azure Sentinel with new information from other log sources. When dealing with remote attacks on web application servers, one of the best enrichment sources available are the web logs that have been generated. In the case that the application server is Microsoft Exchange the W3CIISLog can be used to enrich M365D alerts with potential attacker information. Information on collecting IIS logs using the Log Analytics agent can be found here. \n\n Identifying the Attacker IP address from Microsoft 365 Defender alerts  \n The query below extracts alerts from M365D where a web script file has been observed as part of the alert. In the below example, alerts containing ASP, ASPX, ASMX and ASAX files will be extracted; these are web script files commonly used by Exchange servers.  \n\n After extracting relevant web shell alerts the query will join the alert information with the W3CIIS log, this allows the query to identify any clients that have accessed the potential shell file, allowing the potential attacker to be identified. A version of the query below is already available as an Azure Sentinel detection and can be found here.  \n\nlet timeWindow = 3d; \n//Script file extensions to match on, can be expanded for your environment \nlet scriptExtensions = dynamic([\".asp\", \".aspx\", \".asmx\", \".asax\"]); \nSecurityAlert \n| where TimeGenerated > ago(timeWindow) \n| where ProviderName == \"MDATP\" \n//Parse and expand the alert JSON \n| extend alertData = parse_json(Entities) \n| mvexpand alertData \n| where alertData.Type == \"file\" \n//This can be expanded to include more file types \n| where alertData.Name has_any(scriptExtensions) \n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory) \n| project TimeGenerated, FileName, Directory \n| join ( \nW3CIISLog \n| where TimeGenerated > ago(timeWindow) \n| where csUriStem has_any(scriptExtensions) \n| extend splitUriStem = split(csUriStem, \"/\") \n| extend FileName = splitUriStem[-1] \n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by AttackerIP=cIP, AttackerUserAgent=csUserAgent, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName) \n) on FileName \n| project StartTime, EndTime, AttackerIP, AttackerUserAgent, SiteName, ShellLocation \n\n\n\n https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 9 of 29 Identifying Exchange Servers & Associated Security Alerts  \n Exchange servers can be challenging to identify in default log data; however using data available in W3CIISLog, Exchange servers can be identified using predictable URI strings without relying on the hostname or site name.  \n\n The query below extracts the host name from W3CIISLog where a known Exchange URI path is observed, this provides a list of hostnames that are running Exchange. This list of host names can then be used to aggregate information from the alerts in the SecurityAlert table.  \n\nW3CIISLog \n| where csUriStem has_any(\"/owa/auth/\", \"/ecp/healthcheck.htm\", \"/ews/exchange.asmx\") \n| summarize by computer=tolower(Computer) \n| join kind=leftouter ( \nSecurityAlert \n| extend alertData = parse_json(Entities) \n| mvexpand alertData \n| where alertData.Type == \"host\" \n| extend computer = iff(isnotempty(alertData.DnsDomain), tolower(strcat(tostring(alertData.HostName), \".\" , tostring(alertData.DnsDomain))),tolower(tostring(alertData.HostName))) \n| summarize Alerts=dcount(SystemAlertId), AlertTimes=make_list(TimeGenerated), AlertNames=make_list(AlertName) by computer \n) on computer \n| project ExchangeServer=computer, Alerts, AlertTimes, AlertNames \n\n\n\n\n The results of the query provide insights into whether additional security alerts beyond web shell alerts have been observed on the host. Following deployment of a web shell it’s highly likely the threat actor will begin to execute further commands on the server, triggering additional alerts. In the above example three Exchange servers were observed with security alerts.   \n\n This same technique can be used to locate other web applications within the network that use common or predictable web paths. \n\n W3CIISLog Analysis  \n W3CIISLog provides detailed logging on actions performed on Microsoft Internet Information Servers (IIS). Even when an Endpoint detection alert is not available, it is possible to explore W3CIISLogs for indicators of compromise. W3CIISLog can also provide additional insights into which hosts in the network are web application servers.  \n\n Note: As part of the original Microsoft HAFNIUM blog post, several hunting and detection queries were created to search for artefacts specific to the use of recent vulnerabilities. \n\n Identifying generic exploitation activity  \n If the URI associated with the vulnerable file on the server is known, a query can be constructed to identify log entries that match the URI pattern. W3CIIS logging stores the URI in the column named “csUriStem”, the below query can be used to search for a specific URI in logs and provide information on which clients have accessed them. Local IP addresses have been removed.  \n\nW3CIISLog \n| where TimeGenerated > ago(3d) \n| where not(ipv4_is_private(cIP)) \n//Insert potentially exploited URI here \n| where csUriStem =~ \"/owa/auth/x.js\" \n| project TimeGenerated, sSiteName, csMethod, csUriStem, sPort, cIP, csUserAgent \n\n\n\n\n For HAFNIUM attacks observed by MSTIC an indicator feed has been made available (CSV, JSON). A detection query, that will check for the presence of indicators in multiple data sources, has also been made available by the Azure Sentinel team. The detection can be found here, and IOC’s released as feeds by MSTIC can be found in this directory.  \n\n The recent Exchange vulnerabilities do not need to be targeted at a specific file. Analysis of automated exploitation tools online shows that many randomise the filenames used; this means that no legitimate user will visit these files as they do not exist on the server. As these filenames are randomly generated, static string matching cannot be used.  \n\n https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 10 of 29 The Kusto “matches_regex” function can be used to perform regular expression matching on URI’s. The below example extracts events where the URI matches files associated with the exploitation of CVE-2021-27065 from W3CIISLog.  \n\nW3CIISLog \n| where TimeGenerated > ago(3d) \n| where not(ipv4_is_private(cIP)) \n| where (csUriStem matches regex @\"\\/owa\\/auth\\/[A-Za-z0-9]{1,30}\\.js\") or (csUriStem matches regex @\"\\/ecp\\/[A-Za-z0-9]{1,30}\\. (js|flt|css)\") \n| project TimeGenerated, sSiteName, csMethod, csUriStem, sPort, cIP, csUserAgent\n\n\n\n\n The previous queries can be limited when the files being exploited are commonly accessed. They would produce many candidate attacker IP addresses, making analysis challenging.  \n\n Using the recent Exchange vulnerabilities as an example, Microsoft has seen malicious automated tools released publicly that are being used to exploit the Exchange vulnerabilities. These tools are designed to only visit specific URIs on the server that are required to perform the exploit. This activity differs from normal and legitimate Administrator or User application browsing activity and if observed should be investigated.  \n\n It is possible to craft a query that uses basic statistical analysis to identify instances where a client has visited a disproportionately high number of exploit-related URI’s when compared to other URIs on the site., The query below calculates the total number of suspicious URIs that have been visited by each user, it then calculates the total number of URIs visited by the user. Where the number of exploit related URIs is a significant proportion of URIs visited, a result is returned. By default, the query requires over 90% of the URIs visited by the user to be suspicious.  \n\nlet timeRange = 7d;\n//Calculate number of suspicious URI stems visited by user \nW3CIISLog\n| where TimeGenerated > ago(timeRange)\n| where not(ipv4_is_private(cIP)) \n| where (csUriStem matches regex @\"\\/owa\\/auth\\/[A-Za-z0-9]{1,30}\\.js\") or (csUriStem matches regex @\"\\/ecp\\/[A-Za-z0-9]{1,30}\\.(js|flt|css)\") or (csUriStem =~ \"/ews/exchange.asmx\") \n| extend userHash = hash_md5(strcat(cIP, csUserAgent)) \n| summarize susCount=dcount(csUriStem), make_list(csUriStem), min(TimeGenerated), max(TimeGenerated) by userHash, cIP, csUserAgent \n| join kind=leftouter ( \n//Calculate unique URI stems visited by each user \nW3CIISLog \n| where TimeGenerated > ago(timeRange) \n| where not(ipv4_is_private(cIP))\n| extend userHash = hash_md5(strcat(cIP, csUserAgent)) \n| summarize allCount=dcount(csUriStem) by userHash \n) on userHash \n//Find instances where only a common endpoint was seen \n| extend containsDefault = iff(list_csUriStem contains \"/ews/exchange.asmx\", 1, 0) \n//If we only see the common endpoint and nothing else dump it \n| extend result = iff(containsDefault == 1, containsDefault+susCount, 0) \n| where result != 2 \n| extend susPercentage = susCount / allCount * 100 \n| where susPercentage > 90 \n| project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, AttackerIP=cIP, AttackerUA=csUserAgent, URIsVisited=list_csUriStem, suspiciousPercentage=susPercentage, allUriCount=allCount, suspiciousUriCount=susCount\n\n\n While this query is designed to detect recent Exchange exploit activity, it can be easily adapted to other exploit chains if the pages or URIs used are known.  \n\n Rare Client File Access  \n A previously published hunting query  can be used to detect instances where resources on a server are requested by a single client – a behaviour that should be investigated in the context of web shell exploits. After the actor creates web shell on the server, it’s likely that they will be the only user to access the file to complete their intended objective.   \n\n Investigating the Attacker  \n In the previous blog post covering SharePoint exploitation, a Jupyter Notebook Guided Investigation is provided. This notebook can also be used to investigate on-prem Exchange compromises within your environment.  \n\n The notebook extracts alerts from Microsoft 365 Defender related to web shell activity, these can then be enriched with information from W3CIIS to identify the attacker IP and User Agent. The attackers IP and User Agent can be used to hunt through multiple log sources for potential post-compromise activity.  \n\n https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 11 of 29 After the attacker details have been identified, the notebook can be used to locate files that were accessed by the attacker prior to the web shell being installed. The notebook will also locate the first instance that the attacker visited the server.  \n\n Azure-Sentinel-Notebooks/Guided Investigation - MDE Webshell Alerts.ipynb at master · Azure/Azure-Sentinel-Notebooks (github.com)  \n\n Instructions for getting the notebook up and running can be found in the original blog post, under the title “Building out the Investigation using Jupyter Notebooks”.  \n\n You can stay up to date with the latest information at https://aka.ms/exchangevulns.  ","kudosSumWeight":2,"postTime":"2021-03-25T12:00:35.634-07:00","images": {"__typename":"AssociatedImageConnection","edges": [{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDE","node": {"__ref":"AssociatedImage: {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2NzAwNmlFNkRFNUU1MTY2NzBDRDM1? revision=6\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDI","node": {"__ref":"AssociatedImage: {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk2OGk4QTlCNTM2RUJGRjEwREEw? revision=6\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDM","node": {"__ref":"AssociatedImage: {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk4OWk2QUYxMzA3QUM3RTIwOEU0? revision=6\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDQ","node": {"__ref":"AssociatedImage: {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk3M2k2NUI4NzlBNzBGQjc2QkI3? revision=6\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDU","node": {"__ref":"AssociatedImage: {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk4NGlGNTRDQjAxMjI2ODkyN0U1? revision=6\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDY","node": {"__ref":"AssociatedImage: {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk4NWkzRDlCMTk0MDA0RjFEMjIz? revision=6\"}"}}],"totalCount":6,"pageInfo": {"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"attachments": {"__typename":"AttachmentConnection","pageInfo": {"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges": []},"tags":{"__typename":"TagConnection","pageInfo": {"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges": []},"timeToRead":8,"rawTeaser":"\n In this blog post we will provide Microsoft Azure Sentinel customers with hunting queries to investigate possible on-prem Exchange Server exploitation and identify additional attacker IOCs (Indicators of compromise) such as IP address and User Agent. ","introduction":"","coverImage":null,"coverImageProperties": {"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""},"currentRevision": {"__ref":"Revision:revision:2234968_6"},"latestVersion": {"__typename":"FriendlyVersion","major":"1","minor":"0"},"metrics": {"__typename":"MessageMetrics","views":36231},"read":false,"visibilityScope":"PUBLIC","canonicalUrl":null,"seoTitle":null,"seoDescription":null,"pl {"__typename":"UserConnection","edges":[]},"nonCoAuthorContributors":{"__typename":"UserConnection","edges": []},"coAuthors":{"__typename":"UserConnection","edges":[]},"blogMessagePolicies": {"__typename":"BlogMessagePolicies","canDoAuthoringActionsOnBlog":{"__typename":"PolicyResult","failureReason": {"__typename":"FailureReason","message":"error.lithium.policies.blog.action_can_do_authoring_action.accessDenied","key":"error.lithium.policies.blog []}}},"archivalData":null,"customFields":[],"revisions({\"constraints\":{\"isPublished\":{\"eq\":true}}})": {"__typename":"RevisionConnection","totalCount":6}},"Conversation:conversation:2234968": {"__typename":"Conversation","id":"conversation:2234968","solved":false,"topic": {"__ref":"BlogTopicMessage:message:2234968"},"lastPostingActivityTime":"2021-03-25T12:00:35.634- 07:00","lastPostTime":"2021-03-25T12:00:35.634- 07:00","unreadReplyCount":0,"isSubscribed":false},"ModerationData:moderation_data:2234968": {"__typename":"ModerationData","id":"moderation_data:2234968","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":nu {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2NzAwNmlFNkRFNUU1MTY2NzBDRDM1? revision=6\"}": https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 12 of 29 {"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2NzAwNmlFNkRFNUU1M revision=6","title":"deaf23e9-a7b4-4ae9-b791- 27fbcf19c6bc.jpg","associationType":"TEASER","width":600,"height":353,"altText":null},"AssociatedImage: {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk2OGk4QTlCNTM2RUJGRjEwREEw? revision=6\"}": {"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk2OGk4QTlCNTM2RU revision=6","title":"diagram_2.PNG","associationType":"BODY","width":1086,"height":550,"altText":null},"AssociatedImage: {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk4OWk2QUYxMzA3QUM3RTIwOEU0? revision=6\"}": {"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk4OWk2QUYxMzA3Q revision=6","title":"Capture3.PNG","associationType":"BODY","width":647,"height":359,"altText":null},"AssociatedImage: {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk3M2k2NUI4NzlBNzBGQjc2QkI3? revision=6\"}": {"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk3M2k2NUI4NzlBNzB revision=6","title":"Capture.PNG","associationType":"BODY","width":848,"height":162,"altText":null},"AssociatedImage: {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk4NGlGNTRDQjAxMjI2ODkyN0U1? revision=6\"}": {"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk4NGlGNTRDQjAxMj revision=6","title":"Capture2.PNG","associationType":"BODY","width":983,"height":107,"altText":null},"AssociatedImage: {\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk4NWkzRDlCMTk0MDA0RjFEMjIz? revision=6\"}": {"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yMjM0OTY4LTI2Njk4NWkzRDlCMTk0M revision=6","title":"Capture2.PNG","associationType":"BODY","width":983,"height":107,"altText":null},"Revision:revision:2234968_6": {"__typename":"Revision","id":"revision:2234968_6","lastEditTime":"2021-03-25T07:15:41.255- 07:00"},"CachedAsset:theme:customTheme1-1775108359968":{"__typename":"CachedAsset","id":"theme:customTheme1- 1775108359968","value":{"id":"customTheme1","animation": {"fast":"150ms","normal":"250ms","slow":"500ms","slowest":"750ms","function":"cubic-bezier(0.07, 0.91, 0.51, 1)","__typename":"AnimationThemeSettings"},"avatar":{"borderRadius":"50%","collections": ["default"],"__typename":"AvatarThemeSettings"},"basics":{"browserIcon":{"imageAssetName":"favicon-1730836283320.png","imageLastModified":"1730836286415","__typename":"ThemeAsset"},"customerLogo": {"imageAssetName":"favicon-1730836271365.png","imageLastModified":"1730836274203","__typename":"ThemeAsset"},"maximumWidthOfPageContent":"1300px","oneColumnN {"borderRadiusSm":"3px","borderRadius":"3px","borderRadiusLg":"5px","paddingY":"5px","paddingYLg":"7px","paddingYHero":"var(- -lia-bs-btn-padding-y-lg)","paddingX":"12px","paddingXLg":"16px","paddingXHero":"60px","fontStyle":"NORMAL","fontWeight":"700","textTransform":"NONE","disabled -lia-bs-white)","primaryTextHoverColor":"var(--lia-bs-white)","primaryTextActiveColor":"var(--lia-bs-white)","primaryBgColor":"var(--lia-bs-primary)","primaryBgHoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.85))","primaryBgActiveColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.7))","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","primaryBorderActive":"1px solid transparent","primaryBorderFocus":"1px solid var(--lia-bs-white)","primaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","secondaryTextColor":"var(--lia-bs-gray-900)","secondaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","secondaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","secondaryBgColor":"var(--lia-bs-gray-200)","secondaryBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","secondaryBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","secondaryBorder":"1px solid transparent","secondaryBorderHover":"1px solid transparent","secondaryBorderActive":"1px solid transparent","secondaryBorderFocus":"1px solid transparent","secondaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","tertiaryTextColor":"var(--lia-bs-gray-900)","tertiaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","tertiaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900- s), calc(var(--lia-bs-gray-900-l) * 0.9))","tertiaryBgColor":"transparent","tertiaryBgHoverColor":"transparent","tertiaryBgActiveColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.04)","tertiaryBorder":"1px solid transparent","tertiaryBorderHover":"1px solid hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","tertiaryBorderActive":"1px solid transparent","tertiaryBorderFocus":"1px solid transparent","tertiaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","destructiveTextColor":"var(--lia-bs-danger)","destructiveTextHoverColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.95))","destructiveTextActiveColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.9))","destructiveBgColor":"var(--lia-bs-gray-200)","destructiveBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","destructiveBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","destructiveBorder":"1px solid https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 13 of 29 transparent","destructiveBorderHover":"1px solid transparent","destructiveBorderActive":"1px solid transparent","destructiveBorderFocus":"1px solid transparent","destructiveBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","__typename":"ButtonsThemeSettings"},"border":{"color":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","mainContent":"NONE","sideContent":"LIGHT","radiusSm":"3px","radius":"5px","radiusLg":"9px","radius50":"100vw","__typename":"BorderT {"xs":"0 0 0 1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.08), 0 3px 0 -1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.16)","sm":"0 2px 4px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.12)","md":"0 5px 15px hsla(var(--lia-bs-gray-900-h), var(-- lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)","lg":"0 10px 30px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)","__typename":"BoxShadowThemeSettings"},"cards":{"bgColor":"var(--lia-panel-bg-color)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":"var(--lia-box-shadow-xs)","__typename":"CardsThemeSettings"},"chip": {"maxWidth":"300px","height":"30px","__typename":"ChipThemeSettings"},"coreTypes": {"defaultMessageLinkColor":"var(--lia-bs-link-color)","defaultMessageLinkDecoration":"none","defaultMessageLinkFontStyle":"NORMAL","defaultMessageLinkFontWeight":"400","defaultMessageF -lia-bs-font-family-base)","forumColor":"#4099E2","forumFontFamily":"var(--lia-bs-font-family-base)","forumFontWeight":"var(--lia-default-message-font-weight)","forumLineHeight":"var(--lia-bs-line-height-base)","forumFontStyle":"var(--lia-default-message-font-style)","forumMessageLinkColor":"var(--lia-default-message-link-color)","forumMessageLinkDecoration":"var(--lia-default-message-link-decoration)","forumMessageLinkFontStyle":"var(-- lia-default-message-link-font-style)","forumMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","forumSolvedColor":"#148563","blogColor":"#1CBAA0","blogFontFamily":"var(--lia-bs-font-family-base)","blogFontWeight":"var(--lia-default-message-font-weight)","blogLineHeight":"1.75","blogFontStyle":"var(--lia-default-message-font-style)","blogMessageLinkColor":"var(--lia-default-message-link-color)","blogMessageLinkDecoration":"var(--lia-default-message-link-decoration)","blogMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","blogMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","tkbColor":"#4C6B90","tkbFontFamily":"var(--lia-bs-font-family-base)","tkbFontWeight":"var(--lia-default-message-font-weight)","tkbLineHeight":"1.75","tkbFontStyle":"var(--lia-default-message-font-style)","tkbMessageLinkColor":"var(--lia-default-message-link-color)","tkbMessageLinkDecoration":"var(--lia-default-message-link-decoration)","tkbMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","tkbMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaColor":"#4099E2","qandaFontFamily":"var(--lia-bs-font-family-base)","qandaFontWeight":"var(--lia-default-message-font-weight)","qandaLineHeight":"var(--lia-bs-line-height-base)","qandaFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkColor":"var(--lia-default-message-link-color)","qandaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","qandaMessageLinkFontStyle":"var(-- lia-default-message-link-font-style)","qandaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaSolvedColor":"#3FA023","ideaColor":"#FF8000","ideaFontFamily":"var(--lia-bs-font-family-base)","ideaFontWeight":"var(--lia-default-message-font-weight)","ideaLineHeight":"var(--lia-bs-line-height-base)","ideaFontStyle":"var(--lia-default-message-font-style)","ideaMessageLinkColor":"var(--lia-default-message-link-color)","ideaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","ideaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","ideaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","contestColor":"#FCC845","contestFontFamily":"var(--lia-bs-font-family-base)","contestFontWeight":"var(--lia-default-message-font-weight)","contestLineHeight":"var(--lia-bs-line-height-base)","contestFontStyle":"var(--lia-default-message-link-font-style)","contestMessageLinkColor":"var(--lia-default-message-link-color)","contestMessageLinkDecoration":"var(--lia-default-message-link-decoration)","contestMessageLinkFontStyle":"ITALIC","contestMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","occasionColor":"#bc341b","occasionFontFamily":"var(--lia-bs-font-family-base)","occasionFontWeight":"var(--lia-default-message-font-weight)","occasionLineHeight":"var(--lia-bs-line-height-base)","occasionFontStyle":"var(--lia-default-message-font-style)","occasionMessageLinkColor":"var(--lia-default-message-link-color)","occasionMessageLinkDecoration":"var(--lia-default-message-link-decoration)","occasionMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","occasionMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","grouphubColor":"#333333","categoryColor":"#949494","communityColor":"#FFFFFF","productColor":"#949494","__typename":"CoreTypesT {"black":"#000000","white":"#FFFFFF","gray100":"#F7F7F7","gray200":"#F7F7F7","gray300":"#E8E8E8","gray400":"#D9D9D9","gray500":"#CCCC -lia-bs-primary)","custom":["#D3F5A4","#243A5E"],"__typename":"ColorsThemeSettings"},"divider": {"size":"3px","marginLeft":"4px","marginRight":"4px","borderRadius":"50%","bgColor":"var(--lia-bs-gray-600)","bgColorActive":"var(--lia-bs-gray-600)","__typename":"DividerThemeSettings"},"dropdown":{"fontSize":"var(-- lia-bs-font-size-sm)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius-sm)","dividerBg":"var(--lia-bs-gray-300)","itemPaddingY":"5px","itemPaddingX":"20px","headerColor":"var(--lia-bs-gray-700)","__typename":"DropdownThemeSettings"},"email":{"link": {"color":"#0069D4","hoverColor":"#0061c2","decoration":"none","hoverDecoration":"underline","__typename":"EmailLinkSettings"},"border": {"color":"#e4e4e4","__typename":"EmailBorderSettings"},"buttons": {"borderRadiusLg":"5px","paddingXLg":"16px","paddingYLg":"7px","fontWeight":"700","primaryTextColor":"#ffffff","primaryTextHoverColor":"#fffff solid transparent","primaryBorderHover":"1px solid transparent","__typename":"EmailButtonsSettings"},"panel": https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 14 of 29 {"borderRadius":"5px","borderColor":"#e4e4e4","__typename":"EmailPanelSettings"},"__typename":"EmailThemeSettings"},"emoji": {"skinToneDefault":"#ffcd43","skinToneLight":"#fae3c5","skinToneMediumLight":"#e2cfa5","skinToneMedium":"#daa478","skinToneMediumDark":"# {"color":"var(--lia-bs-body-color)","fontFamily":"Segoe UI","fontStyle":"NORMAL","fontWeight":"400","h1FontSize":"34px","h2FontSize":"32px","h3FontSize":"28px","h4FontSize":"24px","h5FontSize":"20 -lia-bs-headings-font-weight)","h2FontWeight":"var(--lia-bs-headings-font-weight)","h3FontWeight":"var(--lia-bs-headings-font-weight)","h4FontWeight":"var(--lia-bs-headings-font-weight)","h5FontWeight":"var(--lia-bs-headings-font-weight)","h6FontWeight":"var(--lia-bs-headings-font-weight)","__typename":"HeadingThemeSettings"},"icons": {"size10":"10px","size12":"12px","size14":"14px","size16":"16px","size20":"20px","size24":"24px","size30":"30px","size40":"40px","size50":"50px","s {"bgColor":"var(--lia-bs-gray-900)","titleColor":"var(--lia-bs-white)","controlColor":"var(--lia-bs-white)","controlBgColor":"var(--lia-bs-gray-800)","__typename":"ImagePreviewThemeSettings"},"input": {"borderColor":"var(--lia-bs-gray-600)","disabledColor":"var(--lia-bs-gray-600)","focusBorderColor":"var(--lia-bs-primary)","labelMarginBottom":"10px","btnFontSize":"var(--lia-bs-font-size-sm)","focusBoxShadow":"0 0 0 3px hsla(var(- -lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","checkLabelMarginBottom":"2px","checkboxBorderRadius":"3px","borderRadiusSm":"var(--lia-bs-border-radius-sm)","borderRadius":"var(--lia-bs-border-radius)","borderRadiusLg":"var(--lia-bs-border-radius-lg)","formTextMarginTop":"4px","textAreaBorderRadius":"var(--lia-bs-border-radius)","activeFillColor":"var(--lia-bs-primary)","__typename":"InputThemeSettings"},"loading":{"dotDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.2)","dotLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.5)","barDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.06)","barLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.4)","__typename":"LoadingThemeSettings"},"link":{"color":"var(--lia-bs-primary)","hoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) - 10%))","decoration":"none","hoverDecoration":"underline","__typename":"LinkThemeSettings"},"listGroup": {"itemPaddingY":"15px","itemPaddingX":"15px","borderColor":"var(--lia-bs-gray-300)","__typename":"ListGroupThemeSettings"},"modal":{"contentTextColor":"var(--lia-bs-body-color)","contentBg":"var(--lia-bs-white)","backgroundBg":"var(--lia-bs-black)","smSize":"440px","mdSize":"760px","lgSize":"1080px","backdropOpacity":0.3,"contentBoxShadowXs":"var(--lia-bs-box-shadow-sm)","contentBoxShadow":"var(--lia-bs-box-shadow)","headerFontWeight":"700","__typename":"ModalThemeSettings"},"navbar":{"position":"FIXED","background": {"attachment":null,"clip":null,"color":"var(--lia-bs-white)","imageAssetName":"","imageLastModified":"0","origin":null,"position":"CENTER_CENTER","repeat":"NO_REPEAT","size":"COVER","__typ solid var(--lia-bs-border-color)","boxShadow":"var(--lia-bs-box-shadow-sm)","brandMarginRight":"30px","brandMarginRightSm":"10px","brandLogoHeight":"30px","linkGap":"10px","linkJustifyContent":"flex-start","linkPaddingY":"5px","linkPaddingX":"10px","linkDropdownPaddingY":"9px","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkColor":"var(--lia-bs-body-color)","linkHoverColor":"var(--lia-bs-primary)","linkFontSize":"var(--lia-bs-font-size-sm)","linkFontStyle":"NORMAL","linkFontWeight":"400","linkTextTransform":"NONE","linkLetterSpacing":"normal","linkBorderRadius":"var(- -lia-bs-border-radius-sm)","linkBgColor":"transparent","linkBgHoverColor":"transparent","linkBorder":"none","linkBorderHover":"none","linkBoxShadow":"none","linkBoxS -lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","controllerIconColor":"var(--lia-bs-body-color)","controllerIconHoverColor":"var(--lia-bs-body-color)","controllerTextColor":"var(--lia-nav-controller-icon-color)","controllerTextHoverColor":"var(--lia-nav-controller-icon-hover-color)","controllerHighlightColor":"hsla(30, 100%, 50%)","controllerHighlightTextColor":"var(--lia-yiq-light)","controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerColor":"var(--lia-nav-controller-icon-color)","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","hamburgerBgColor":"transparent","hamburgerBgHoverColor":"transparent","hamburgerBorder":"none","hamburgerBorderHover":"none","collap -lia-nav-link-color)","collapseMenuDividerOpacity":0.16,"__typename":"NavbarThemeSettings"},"pager": {"textColor":"var(--lia-bs-link-color)","textFontWeight":"var(--lia-font-weight-md)","textFontSize":"var(--lia-bs-font-size-sm)","__typename":"PagerThemeSettings"},"panel":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-bs-border-radius)","borderColor":"var(--lia-bs-border-color)","boxShadow":"none","__typename":"PanelThemeSettings"},"popover": {"arrowHeight":"8px","arrowWidth":"16px","maxWidth":"300px","minWidth":"100px","headerBg":"var(--lia-bs-white)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius)","boxShadow":"0 0.5rem 1rem hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.15)","__typename":"PopoverThemeSettings"},"prism":{"color":"#000000","bgColor":"#f5f2f0","fontFamily":"var(--font-family-monospace)","fontSize":"var(--lia-bs-font-size-base)","fontWeightBold":"var(--lia-bs-font-weight-bold)","fontStyleItalic":"italic","tabSize":2,"highlightColor":"#b3d4fc","commentColor":"#62707e","punctuationColor":"#6f6f6f","namespaceOpacity":" 0%, 100%, 0.5)","keywordColor":"#0076a9","functionColor":"#d3284b","variableColor":"#c14700","__typename":"PrismThemeSettings"},"rte": {"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":" var(--lia-panel-box-shadow)","customColor1":"#bfedd2","customColor2":"#fbeeb8","customColor3":"#f8cac6","customColor4":"#eccafa","customColor5":"#c2e0f4","custo 53%, 51%, 0.4)","diffChangedColor":"hsla(43, 97%, 63%, 0.4)","diffNoneColor":"hsla(0, 0%, 80%, 0.4)","diffRemovedColor":"hsla(9, 74%, 47%, 0.4)","specialMessageHeaderMarginTop":"40px","specialMessageHeaderMarginBottom":"20px","specialMessageItemMarginTop":"0","specialMessageIt -lia-bs-gray-https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 15 of 29 700)","tableBorderStyle":"solid","tableCellPaddingX":"5px","tableCellPaddingY":"5px","tableTextColor":"var(--lia-bs-body-color)","tableVerticalAlign":"middle","__typename":"RteThemeSettings"},"tags":{"bgColor":"var(--lia-bs-gray-200)","bgHoverColor":"var(--lia-bs-gray-400)","borderRadius":"var(--lia-bs-border-radius-sm)","color":"var(--lia-bs-body-color)","hoverColor":"var(--lia-bs-body-color)","fontWeight":"var(--lia-font-weight-md)","fontSize":"var(--lia-font-size-xxs)","textTransform":"UPPERCASE","letterSpacing":"0.5px","__typename":"TagsThemeSettings"},"toasts": {"borderRadius":"var(--lia-bs-border-radius)","paddingX":"12px","__typename":"ToastsThemeSettings"},"typography": {"fontFamilyBase":"Segoe UI","fontStyleBase":"NORMAL","fontWeightBase":"400","fontWeightLight":"300","fontWeightNormal":"400","fontWeightMd":"500","fontWeightBold [{"source":"SERVER","name":"Segoe UI","styles":[{"style":"NORMAL","weight":"400","__typename":"FontStyleData"}, {"style":"NORMAL","weight":"300","__typename":"FontStyleData"}, {"style":"NORMAL","weight":"600","__typename":"FontStyleData"}, {"style":"NORMAL","weight":"700","__typename":"FontStyleData"}, {"style":"ITALIC","weight":"400","__typename":"FontStyleData"}],"assetNames":["SegoeUI-normal-400.woff2","SegoeUI-normal-300.woff2","SegoeUI-normal-600.woff2","SegoeUI-normal-700.woff2","SegoeUI-italic-400.woff2"],"__typename":"CustomFont"},{"source":"SERVER","name":"MWF Fluent Icons","styles": [{"style":"NORMAL","weight":"400","__typename":"FontStyleData"}],"assetNames":["MWFFluentIcons-normal-400.woff2"],"__typename":"CustomFont"}],"__typename":"TypographyThemeSettings"},"unstyledListItem": {"marginBottomSm":"5px","marginBottomMd":"10px","marginBottomLg":"15px","marginBottomXl":"20px","marginBottomXxl":"25px","__typename" {"light":"#ffffff","dark":"#000000","__typename":"YiqThemeSettings"},"colorLightness": {"primaryDark":0.36,"primaryLight":0.74,"primaryLighter":0.89,"primaryLightest":0.95,"infoDark":0.39,"infoLight":0.72,"infoLighter":0.85,"infoLighte shared/client/components/common/Loading/LoadingDot-1775111751244": {"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-1775111751244","value": {"title":"Loading..."},"localOverride":false},"CachedAsset:quilt:o365.prod:pages/blogs/BlogMessagePage:board:MicrosoftSentinelBlog-1775111749391": {"__typename":"CachedAsset","id":"quilt:o365.prod:pages/blogs/BlogMessagePage:board:MicrosoftSentinelBlog-1775111749391","value":{"id":"BlogMessagePage","container":{"id":"Common","headerProps": {"backgroundImageProps":null,"backgroundColor":null,"addComponents":null,"removeComponents": ["community.widget.bannerWidget"],"componentOrder":null,"__typename":"QuiltContainerSectionProps"},"headerComponentProps": {"community.widget.breadcrumbWidget": {"disableLastCrumbForDesktop":false}},"footerProps":null,"footerComponentProps":null,"items":[{"id":"blog-article","layout":"ONE_COLUMN","bgColor":null,"showTitle":null,"showDescription":null,"textPosition":null,"textColor":null,"sectionEditLevel":"LOC {"main":[{"id":"blogs.widget.blogArticleWidget","className":"lia-blog-container","props":null,"__typename":"QuiltComponent"}],"__typename":"OneSectionColumns"}},{"id":"section-1729184836777","layout":"MAIN_SIDE","bgColor":"transparent","showTitle":false,"showDescription":false,"textPosition":"CENTER","textColor":"var -lia-bs-body-color)","sectionEditLevel":null,"bgImage":null,"disableSpacing":null,"edgeToEdgeDisplay":null,"fullHeight":null,"showBorder":null,"__typename":"Ma {"main":[],"side":[{"id":"custom.widget.UnregisteredCTAWidget","className":null,"props": {"widgetVisibility":"anonymousOnly","useTitle":true,"useBackground":false,"title":"","lazyLoad":false,"widgetChooser":"custom.widget.UnregisteredCT components/common/EmailVerification-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-components/common/EmailVerification-1775111751244","value":{"email.verification.title":"Email Verification Required","email.verification.message.update.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. To change your email, visit My Settings.","email.verification.message.resend.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. Resend email."},"localOverride":false},"CachedAsset:text:en_US-pages/blogs/BlogMessagePage-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-pages/blogs/BlogMessagePage-1775111751244","value":{"title":"{contextMessageSubject} | {communityTitle}","errorMissing":"This blog post cannot be found","name":"Blog Message Page","section.blog-article.title":"Blog Post","archivedMessageTitle":"This Content Has Been Archived","section.section-1729184836777.title":"","section.section-1729184836777.description":"","section.CncIde.title":"Blog Post","section.tifEmD.description":"","section.tifEmD.title":""},"localOverride":false},"CachedAsset:quiltWrapper:o365.prod:Common:1775111734980" {"__typename":"CachedAsset","id":"quiltWrapper:o365.prod:Common:1775111734980","value": {"id":"Common","header":{"backgroundImageProps": {"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null," [{"id":"community.widget.navbarWidget","props": {"showUserName":true,"showRegisterLink":true,"useIconLanguagePicker":true,"useLabelLanguagePicker":true,"style": {"boxShadow":"var(--lia-bs-box-shadow-sm)","linkFontWeight":"400","controllerHighlightColor":"hsla(30, 100%, 50%)","dropdownDividerMarginBottom":"10px","hamburgerBorderHover":"none","linkFontSize":"14px","linkBoxShadowHover":"none","backgroundO -lia-border-radius-50)","hamburgerBgColor":"transparent","linkTextBorderBottom":"none","hamburgerColor":"var(--lia-nav-controller-icon-color)","brandLogoHeight":"30px","linkLetterSpacing":"normal","linkBgHoverColor":"transparent","collapseMenuDividerOpacity":0.16,"paddingBottom solid var(--lia-bs-border-color)","hamburgerBorder":"none","dropdownPaddingX":"10px","brandMarginRightSm":"10px","linkBoxShadow":"none","linkJustifyContent":"flex-start","linkColor":"var(--lia-bs-body-color)","collapseMenuDividerBg":"var(--lia-nav-link-https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 16 of 29 color)","dropdownPaddingTop":"10px","controllerTextColor":"var(--lia-nav-controller-icon-color)","controllerHighlightTextColor":"var(--lia-yiq-dark)","background":{"imageAssetName":"","color":"var(--lia-bs-white)","size":"COVER","repeat":"NO_REPEAT","position":"CENTER_CENTER","imageLastModified":""},"linkBorderRadius":"var(- -lia-bs-border-radius-sm)","linkHoverColor":"var(--lia-bs-body-color)","position":"FIXED","linkBorder":"none","linkTextBorderBottomHover":"2px solid var(--lia-bs-primary)","brandMarginRight":"30px","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","linkBorderHover":"none","collapseMenuMarginLeft":"20px","linkFontStyle":"NORMAL","linkPaddingX":"10px","controllerTextHoverColor": -lia-nav-controller-icon-hover-color)","paddingTop":"15px","linkPaddingY":"5px","linkTextTransform":"NONE","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(-- lia-bs-black-s), var(--lia-bs-black-l), 0.1)","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkBgColor":"transparent","linkDropdownPaddingY":"9px","controllerIconColor":"var(--lia-bs-body-color)","dropdownDividerMarginTop":"10px","linkGap":"10px","controllerIconHoverColor":"var(--lia-bs-body-color)"},"links":{"sideLinks":[],"logoLinks":[],"mainLinks":[{"children": [],"linkType":"INTERNAL","id":"gxcuf89792","params":{},"routeName":"CommunityPage"},{"children": [],"linkType":"EXTERNAL","id":"community-hub-link","url":"/Directory","target":"SELF"},{"children": [{"linkType":"INTERNAL","id":"Common-microsoft365-link","params": {"categoryId":"microsoft365"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-windows-link","params":{"categoryId":"Windows"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-microsoft-security-link","params":{"categoryId":"microsoft-security"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-microsoft-teams-link","params": {"categoryId":"MicrosoftTeams"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-azure-link","params":{"categoryId":"Azure"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-content_management-link","params":{"categoryId":"Content_Management"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-microsoftintune-link","params": {"categoryId":"microsoftintune"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-exchange-link","params":{"categoryId":"Exchange"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-windows-server-link","params":{"categoryId":"Windows-Server"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-outlook-link","params": {"categoryId":"Outlook"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-microsoft365-copilot-link","params":{"categoryId":"Microsoft365Copilot"},"routeName":"CategoryPage"}, {"linkType":"EXTERNAL","id":"Common_Enntvz-view-all-products-link","url":"/Directory","target":"SELF"}],"linkType":"EXTERNAL","id":"products-link","url":"/","target":"SELF"}, {"children":[{"linkType":"INTERNAL","id":"Common-education-sector-link","params": {"categoryId":"EducationSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-partner-community-link","params":{"categoryId":"PartnerCommunity"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-healthcare-and-life-sciences-link","params": {"categoryId":"HealthcareAndLifeSciences"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-i-t-ops-talk-link","params":{"categoryId":"ITOpsTalk"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-public-sector-link","params": {"categoryId":"PublicSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-microsoftfor-nonprofits-link","params":{"categoryId":"MicrosoftforNonprofits"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-io-t-link","params":{"categoryId":"IoT"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-mvp-link","params":{"categoryId":"mvp"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-microsoft-mechanics-link","params": {"categoryId":"MicrosoftMechanics"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-driving-adoption-link","params":{"categoryId":"DrivingAdoption"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-microsoft-learn-for-educators-link","params":{"categoryId":"microsoft-learn-for-educators"},"routeName":"CategoryPage"}],"linkType":"EXTERNAL","id":"topics-link","url":"/","target":"SELF"}, {"children":[],"linkType":"EXTERNAL","id":"all-blogs-link","url":"/Blogs","target":"SELF"},{"children": [],"linkType":"EXTERNAL","id":"all-events-link","url":"/Events","target":"SELF"},{"children": [{"linkType":"INTERNAL","id":"Skills-Hub-link","params":{"categoryId":"skills-hub"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Skills-Hub-Blog","params":{"boardId":"skills-hub-blog","categoryId":"skills-hub"},"routeName":"BlogBoardPage"},{"linkType":"EXTERNAL","id":"ms-learn-ext-LD","url":"/category/skills-hub? tab=grouphub","target":"BLANK"},{"linkType":"EXTERNAL","id":"ms-learn-ext-dynamics","url":"https://docs.microsoft.com/learn/dynamics365/?WT.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"ms-learn-ext-m365","url":"https://docs.microsoft.com/learn/m365/?wt.mc_id=techcom_header-webpage-m365","target":"BLANK"}, {"linkType":"EXTERNAL","id":"ms-learn-ext-security","url":"https://docs.microsoft.com/learn/topics/sci/? wt.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"ms-learn-ext-pp","url":"https://docs.microsoft.com/learn/powerplatform/?wt.mc_id=techcom_header-webpage-powerplatform","target":"BLANK"},{"linkType":"EXTERNAL","id":"ms-learn-ext-github","url":"https://docs.microsoft.com/learn/github/?wt.mc_id=techcom_header-webpage-github","target":"BLANK"}, {"linkType":"EXTERNAL","id":"ms-learn-ext-teams","url":"https://docs.microsoft.com/learn/teams/? https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 17 of 29 wt.mc_id=techcom_header-webpage-teams","target":"BLANK"},{"linkType":"EXTERNAL","id":"ms-learn-ext-net","url":"https://docs.microsoft.com/learn/dotnet/?wt.mc_id=techcom_header-webpage-dotnet","target":"BLANK"}, {"linkType":"EXTERNAL","id":"ms-learn-ext-azure","url":"https://docs.microsoft.com/learn/azure/? WT.mc_id=techcom_header-webpage-m365","target":"BLANK"}],"linkType":"INTERNAL","id":"Skills-Hub","params": {"categoryId":"skills-hub"},"routeName":"CategoryPage"},{"children":[{"linkType":"INTERNAL","id":"Common-community-info-center-link","params":{"categoryId":"Community-Info-Center"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-usergroups-link","params": {"categoryId":"usergroups"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-community-news-desk-link","params":{"categoryId":"CommunityNewsDesk"},"routeName":"CategoryPage"}, {"linkType":"INTERNAL","id":"Common-microsoft-global-community-initiative-link","params":{"categoryId":"microsoft-global-community-initiative"},"routeName":"CategoryPage"}],"linkType":"INTERNAL","id":"Common-gxcuf89792- community","params": {},"routeName":"CommunityPage"}]},"showSearchIcon":true,"languagePickerStyle":"iconAndLabel"},"__typename":"QuiltComponent"}, {"id":"community.widget.breadcrumbWidget","props":{"backgroundColor":"transparent","linkHighlightColor":"var(--lia-bs-primary)","visualEffects":{"showBottomBorder":true},"linkTextColor":"var(--lia-bs-gray-700)"},"__typename":"QuiltComponent"},{"id":"custom.widget.CommunityBanner","props": {"widgetVisibility":"signedInOrAnonymous","useTitle":true,"usePageWidth":false,"useBackground":false,"title":"","lazyLoad":false},"__typename":"Qu {"id":"custom.widget.ChatbotWidget","props": {"customComponentId":"custom.widget.ChatbotWidget","cDisplay_form":true,"useBackground":false},"__typename":"QuiltComponent"}, {"id":"custom.widget.HeroBanner","props": {"widgetVisibility":"signedInOrAnonymous","usePageWidth":false,"useTitle":true,"cMax_items":3,"useBackground":false,"title":"","lazyLoad":false,"w {"backgroundImageProps": {"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null," [{"id":"custom.widget.SocialSharing","props": {"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"}, {"id":"custom.widget.MicrosoftFooter","props": {"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"}],"__ty components/common/ActionFeedback-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-components/common/ActionFeedback-1775111751244","value": {"joinedGroupHub.title":"Welcome","joinedGroupHub.message":"You are now a member of this group and are subscribed to updates.","groupHubInviteNotFound.title":"Invitation Not Found","groupHubInviteNotFound.message":"Sorry, we could not find your invitation to the group. The owner may have canceled the invite.","groupHubNotFound.title":"Group Not Found","groupHubNotFound.message":"The grouphub you tried to join does not exist. It may have been deleted.","existingGroupHubMember.title":"Already Joined","existingGroupHubMember.message":"You are already a member of this group.","accountLocked.title":"Account Locked","accountLocked.message":"Your account has been locked due to multiple failed attempts. Try again in {lockoutTime} minutes.","editedGroupHub.title":"Changes Saved","editedGroupHub.message":"Your group has been updated.","leftGroupHub.title":"Goodbye","leftGroupHub.message":"You are no longer a member of this group and will not receive future updates.","deletedGroupHub.title":"Deleted","deletedGroupHub.message":"The group has been deleted.","groupHubCreated.title":"Group Created","groupHubCreated.message":"{groupHubName} is ready to use","accountClosed.title":"Account Closed","accountClosed.message":"The account has been closed and you will now be redirected to the homepage","resetTokenExpired.title":"Reset Password Link has Expired","resetTokenExpired.message":"Try resetting your password again","invalidUrl.title":"Invalid URL","invalidUrl.message":"The URL you're using is not recognized. Verify your URL and try again.","accountClosedForUser.title":"Account Closed","accountClosedForUser.message":"{userName}'s account is closed","inviteTokenInvalid.title":"Invitation Invalid","inviteTokenInvalid.message":"Your invitation to the community has been canceled or expired.","inviteTokenError.title":"Invitation Verification Failed","inviteTokenError.message":"The url you are utilizing is not recognized. Verify your URL and try again","pageNotFound.title":"Access Denied","pageNotFound.message":"You do not have access to this area of the community or it doesn't exist","eventAttending.title":"Responded as Attending","eventAttending.message":"You'll be notified when there's new activity and reminded as the event approaches","eventInterested.title":"Responded as Interested","eventInterested.message":"You'll be notified when there's new activity and reminded as the event approaches","eventNotFound.title":"Event Not Found","eventNotFound.message":"The event you tried to respond to does not exist.","redirectToRelatedPage.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.message":"The content you are trying to access is archived","redirectToRelatedPage.message":"The content you are trying to access is archived","relatedUrl.archivalLink.flyoutMessage":"The content you are trying to access is archived View Archived Content"},"localOverride":false},"CachedAsset:component:custom.widget.CommunityBanner-en-us-1775108434074": {"__typename":"CachedAsset","id":"component:custom.widget.CommunityBanner-en-us-1775108434074","value": {"component":{"id":"custom.widget.CommunityBanner","template": {"id":"CommunityBanner","markupLanguage":"REACT","style":null,"texts":null,"defaults":{"config":{"applicablePages": [],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [],"__typename":"ComponentProperties"},"components": [{"id":"custom.widget.CommunityBanner","form":null,"config":null,"props": https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 18 of 29 [],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config": {"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride": en-us-1775108434074":{"__typename":"CachedAsset","id":"component:custom.widget.ChatbotWidget-en-us-1775108434074","value":{"component":{"id":"custom.widget.ChatbotWidget","template": {"id":"ChatbotWidget","markupLanguage":"REACT","style":null,"texts":{"chatbot.references.title":"Related Articles","chatbot.welcome.title":"Welcome!","chatbot.welcome.description":"I'm here to help you explore and discover great content.","chatbot.welcome.prompt":"Ask me a question or choose a suggestion below to get started:","chatbot.welcome.cta":"Let's dive in—what would you like to discover today?","chatbot.status.typing":"Assistant is typing…","chatbot.status.error":"error","chatbot.error.response":"Failed to get response. Please try again.","chatbot.error.processing":"There was an error processing your message.","chatbot.error.configuration":"API URL not configured","chatbot.error.network":"Network error occurred. Please check your connection and try again.","chatbot.error.timeout":"Request timed out. Please try again.","chatbot.error.emptyResponse":"I couldn't generate a response. Please try rephrasing your question.","chatbot.buttons.send":"Send","chatbot.buttons.close":"Close chat","chatbot.buttons.newChat":"Start new chat","chatbot.buttons.collapse":"Collapse chat panel","chatbot.buttons.expand":"Expand chat panel","chatbot.buttons.fullscreen":"Enter fullscreen","chatbot.buttons.exitFullscreen":"Exit fullscreen","chatbot.buttons.like":"Like this response","chatbot.buttons.dislike":"Dislike this response","chatbot.buttons.removeLike":"Remove like","chatbot.buttons.removeDislike":"Remove dislike","chatbot.aria.chatInput":"Chat input","chatbot.aria.sendMessage":"Send message","chatbot.aria.openChat":"Open chat assistant","chatbot.aria.closeChat":"Close chat assistant","chatbot.defaults.title":"Ask Tech Community","chatbot.defaults.subtitle":"Ask questions – get answers","chatbot.defaults.entryHeading":"Find answers","chatbot.defaults.entrySubtext":"Ask the agent","chatbot.defaults.placeholder":"Type your message…","chatbot.defaults.initialMessage":"Hi! I'm your assistant. Ask me something or pick a suggestion above to begin.","chatbot.suggestions.findBlogs":"Find insightful blogs","chatbot.suggestions.exploreEvents":"Explore upcoming events","chatbot.suggestions.startJourney":"Start your journey with something new","chatbot.dialog.endConversation":"End conversation","chatbot.dialog.confirmEndConversation":"Do you want to end this conversation and start over?","chatbot.dialog.endConversationButton":"End conversation","chatbot.dialog.cancel":"Cancel","chatbot.error.genericServiceUnavailable":"The service is currently unavailable. Please try again later.","chatbot.error.noResults":"We could not find any information related to your query. Try rephrasing your query."},"defaults":{"config":{"applicablePages": [],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [],"__typename":"ComponentProperties"},"components": [{"id":"custom.widget.ChatbotWidget","form":null,"config":null,"props": [],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config": {"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride": en-us-1775108434074":{"__typename":"CachedAsset","id":"component:custom.widget.HeroBanner-en-us-1775108434074","value":{"component":{"id":"custom.widget.HeroBanner","template": {"id":"HeroBanner","markupLanguage":"REACT","style":null,"texts":{"searchPlaceholderText":"Search this community","followActionText":"Follow","unfollowActionText":"Following","searchOnHoverText":"Please enter your search term(s) and then press return key to complete a search.","blogs.sidebar.pagetitle":"Latest Blogs | Microsoft Tech Community","followThisNode":"Follow this node","unfollowThisNode":"Unfollow this node","customField.teamsLink.title":"Microsoft teams link","customField.teamsLink.label":"Teams meeting url"},"defaults":{"config":{"applicablePages": [],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"components": [{"id":"custom.widget.HeroBanner","form":{"fields": [{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description {"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possi {"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":nul {"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"descripti {"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description {"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":n {"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows": [{"id":"widgetChooserGroup","type":"fieldset","as":null,"items": [{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant": {"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"}, {"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"to {"id":"useBackground","type":"fieldset","as":null,"items": https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 19 of 29 [{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant" {"id":"widgetVisibility","type":"fieldset","as":null,"items": [{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant" {"id":"moreOptionsGroup","type":"fieldset","as":null,"items": [{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu {"id":"componentPropsGroup","type":"fieldset","as":null,"items": [{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu [],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config": {"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"form": {"fields": [{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description {"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possi {"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":nul {"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"descripti {"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description {"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":n {"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows": [{"id":"widgetChooserGroup","type":"fieldset","as":null,"items": [{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant": {"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"}, {"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"to {"id":"useBackground","type":"fieldset","as":null,"items": [{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant" {"id":"widgetVisibility","type":"fieldset","as":null,"items": [{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant" {"id":"moreOptionsGroup","type":"fieldset","as":null,"items": [{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu {"id":"componentPropsGroup","type":"fieldset","as":null,"items": [{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu {"fields": [{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description {"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possi {"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":nul {"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"descripti {"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description {"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":n {"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows": [{"id":"widgetChooserGroup","type":"fieldset","as":null,"items": [{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant": {"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"}, {"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"to {"id":"useBackground","type":"fieldset","as":null,"items": [{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant" {"id":"widgetVisibility","type":"fieldset","as":null,"items": [{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant" {"id":"moreOptionsGroup","type":"fieldset","as":null,"items": [{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu {"id":"componentPropsGroup","type":"fieldset","as":null,"items": [{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu en-us-1775108434074":{"__typename":"CachedAsset","id":"component:custom.widget.UnregisteredCTAWidget-en-us-1775108434074","value":{"component":{"id":"custom.widget.UnregisteredCTAWidget","template": {"id":"UnregisteredCTAWidget","markupLanguage":"REACT","style":null,"texts":{"register.communityHub":"Welcome to the {name} Community Hub. Sign in to like, participate, or start a conversation.","register.category":"Welcome to the {name} Community Hub. Sign in to like, participate, or start a conversation.","register.discussionBoard":"Welcome to the {name} space. Sign in to like, reply, or start a discussion.","register.blogSpace":"Welcome to the {name} space. Sign in to like or comment on articles in this space.","register.eventSpace":"Welcome to the {name} space. Sign in to RSVP, add events to your calendar, and join the conversation.","register.ideaSpace":"Welcome to the {name} space. Sign in to vote, https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 20 of 29 comment, or submit your own feedback.","buttonRegister":"Sign in","register.discussionBoardArticle":"Have a question or insight to share? Sign in to join the discussion.","register.blogSpaceArticle":"Enjoying the article? Sign in to share your thoughts.","register.eventSpaceArticle":"Don’t just watch - take part. Sign in to RSVP, ask questions, and join the discussion.","register.ideaSpaceArticle":"Sign in to submit ideas, upvote ideas, and join the conversation."},"defaults": {"config":{"applicablePages": [],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [],"__typename":"ComponentProperties"},"components": [{"id":"custom.widget.UnregisteredCTAWidget","form":null,"config":null,"props": [],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config": {"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride": en-us-1775108434074":{"__typename":"CachedAsset","id":"component:custom.widget.SocialSharing-en-us-1775108434074","value":{"component":{"id":"custom.widget.SocialSharing","template": {"id":"SocialSharing","markupLanguage":"HANDLEBARS","style":".sharePage {\n display: flex;\n justify-content: center;\n background: #d7d7d7;\n padding: 0px;\n height: 60px;\n}\n.singleSocialIcons {\n display: flex;\n gap: 12px;\n list-style-type: none;\n padding: 0px;\n margin: 0;\n}\n.containers {\n display: flex;\n gap: 30px;\n}\n\n.listIcon {\n align-content: center;\n}\n.headingShare {\n display: inline;\n margin-right: 25px;\n margin-bottom: 0px;\n font-size: 20px;\n font-weight: 550;\n align-content: center;\n}\n\n@media (max-width: 990px) {\n .sharePage {\n display: flex;\n justify-content: center;\n }\n\n .containers {\n display: inline-block;\n justify-content: center;\n align-content: center;\n align-items: center;\n }\n .headingShare {\n display: flex;\n justify-content: center;\n }\n .singleSocialIcons {\n }\n}\n","texts":null,"defaults":{"config":{"applicablePages":[],"description":"Adds buttons to share to various social media websites","fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [],"__typename":"ComponentProperties"},"components": [{"id":"custom.widget.SocialSharing","form":null,"config":null,"props": [],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config": {"applicablePages":[],"description":"Adds buttons to share to various social media websites","fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss": {"css":".custom_widget_SocialSharing_sharePage_6x3n8_1 {\n display: flex;\n justify-content: center;\n background: #d7d7d7;\n padding: 0;\n height: 3.75rem;\n}\n.custom_widget_SocialSharing_singleSocialIcons_6x3n8_8 {\n display: flex;\n gap: 0.75rem;\n list-style-type: none;\n padding: 0;\n margin: 0;\n}\n.custom_widget_SocialSharing_containers_6x3n8_15 {\n display: flex;\n gap: 1.875rem;\n}\n.custom_widget_SocialSharing_listIcon_6x3n8_20 {\n align-content: center;\n}\n.custom_widget_SocialSharing_headingShare_6x3n8_23 {\n display: inline;\n margin-right: 1.5625rem;\n margin-bottom: 0;\n font-size: 1.25rem;\n font-weight: 550;\n align-content: center;\n}\n@media (max-width: 990px) {\n .custom_widget_SocialSharing_sharePage_6x3n8_1 {\n display: flex;\n justify-content: center;\n }\n\n .custom_widget_SocialSharing_containers_6x3n8_15 {\n display: inline-block;\n justify-content: center;\n align-content: center;\n align-items: center;\n }\n .custom_widget_SocialSharing_headingShare_6x3n8_23 {\n display: flex;\n justify-content: center;\n }\n .custom_widget_SocialSharing_singleSocialIcons_6x3n8_8 {\n }\n}\n","tokens": {"sharePage":"custom_widget_SocialSharing_sharePage_6x3n8_1","singleSocialIcons":"custom_widget_SocialSharing_singleSocialIcons_6x3n8_8","co en-us-1775108434074":{"__typename":"CachedAsset","id":"component:custom.widget.MicrosoftFooter-en-us-1775108434074","value":{"component":{"id":"custom.widget.MicrosoftFooter","template": {"id":"MicrosoftFooter","markupLanguage":"HANDLEBARS","style":".context-uhf {\r\n min-width: 280px;\r\n font-size: 15px;\r\n box-sizing: border-box;\r\n -ms-text-size-adjust: 100%;\r\n -webkit-text-size-adjust: 100%;\r\n & *,\r\n & *:before,\r\n & *:after {\r\n box-sizing: inherit;\r\n }\r\n a.c-uhff-link {\r\n color: #616161;\r\n word-break: break-word;\r\n text-decoration: none;\r\n }\r\n &a:link,\r\n &a:focus,\r\n &a:hover,\r\n &a:active,\r\n &a:visited {\r\n text-decoration: none;\r\n color: inherit;\r\n }\r\n & div {\r\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\r\n }\r\n}\r\n.c-uhff {\r\n background: #f2f2f2;\r\n margin: -1.5625;\r\n width: auto;\r\n height: auto;\r\n}\r\n.c-uhff-nav {\r\n margin: 0 auto;\r\n max-width: calc(1600px + 10%);\r\n padding: 0 5%;\r\n box-sizing: inherit;\r\n &:before,\r\n &:after {\r\n content: ' ';\r\n display: table;\r\n clear: left;\r\n }\r\n @media only screen and (max-width: 1083px) {\r\n padding-left: 12px;\r\n }\r\n .c-heading-4 {\r\n color: #616161;\r\n word-break: break-word;\r\n font-size: 15px;\r\n line-height: 20px;\r\n padding: 36px 0 4px;\r\n font-weight: 600;\r\n }\r\n .c-uhff-nav-row {\r\n .c-uhff-nav-group {\r\n display: block;\r\n float: left;\r\n min-height: 1px;\r\n vertical-align: text-top;\r\n padding: 0 12px;\r\n width: 100%;\r\n zoom: 1;\r\n &:first-child {\r\n padding-left: 0;\r\n @media only screen and (max-width: 1083px) {\r\n padding-left: 12px;\r\n }\r\n }\r\n @media only screen and (min-width: 540px) and (max-width: 1082px) {\r\n width: 33.33333%;\r\n }\r\n @media only screen and (min-width: 1083px) {\r\n width: 16.6666666667%;\r\n }\r\n ul.c-list.f-bare {\r\n font-size: 11px;\r\n line-height: 16px;\r\n margin-top: 0;\r\n margin-bottom: 0;\r\n padding-left: 0;\r\n list-style-type: none;\r\n li {\r\n word-break: break-word;\r\n padding: 8px 0;\r\n margin: 0;\r\n }\r\n }\r\n }\r\n }\r\n}\r\n.c-uhff-base {\r\n background: #f2f2f2;\r\n margin: 0 auto;\r\n max-width: calc(1600px + 10%);\r\n padding: 30px 5% 16px;\r\n &:before,\r\n &:after {\r\n content: ' ';\r\n display: table;\r\n }\r\n &:after {\r\n clear: both;\r\n }\r\n a.c-uhff-ccpa,\r\n a.c-uhff-consumer {\r\n display: flex;\r\n float: left;\r\n font-size: 11px;\r\n line-height: 16px;\r\n padding: 4px 24px 0 0;\r\n }\r\n a.c-uhff-ccpa:hover,\r\n a.c-uhff-consumer:hover {\r\n text-decoration: underline;\r\n }\r\n ul.c-list {\r\n font-size: 11px;\r\n line-height: 16px;\r\n float: right;\r\n margin: 3px 0;\r\n color: #616161;\r\n li {\r\n padding: 0 24px 4px 0;\r\n display: inline-block;\r\n }\r\n }\r\n .c-list.f-bare {\r\n padding-left: 0;\r\n list-style-type: none;\r\n }\r\n @media only screen and (max-width: 1083px) {\r\n https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 21 of 29 display: flex;\r\n flex-wrap: wrap;\r\n padding: 30px 24px 16px;\r\n }\r\n}\r\n\r\n.social-share {\r\n position: fixed;\r\n top: 60%;\r\n transform: translateY(-50%);\r\n left: 0;\r\n z-index: 1000;\r\n}\r\n\r\n.sharing-options {\r\n list-style: none;\r\n padding: 0;\r\n margin: 0;\r\n display: block;\r\n flex-direction: column;\r\n background-color: white;\r\n width: 50px;\r\n border-radius: 0px 7px 7px 0px;\r\n}\r\n.linkedin-icon {\r\n border-top-right-radius: 7px;\r\n}\r\n.linkedin-icon:hover {\r\n border-radius: 0;\r\n}\r\n\r\n.social-share-email-image:hover {\r\n border-radius: 0;\r\n}\r\n\r\n.social-link-footer:hover .linkedin-icon {\r\n border-radius: 0;\r\n}\r\n.social-link-footer:hover .social-share-email-image {\r\n border-radius: 0;\r\n}\r\n\r\n.social-link-footer img {\r\n width: 30px;\r\n height: auto;\r\n transition: filter 0.3s ease;\r\n}\r\n\r\n.social-share-list {\r\n width: 50px;\r\n}\r\n.social-share-rss-image {\r\n width: 30px;\r\n height: auto;\r\n transition: filter 0.3s ease;\r\n}\r\n.sharing-options li {\r\n width: 50px;\r\n height: 50px;\r\n padding: 8px;\r\n box-sizing: border-box;\r\n border: 2px solid white;\r\n display: inline-block;\r\n text-align: center;\r\n opacity: 1;\r\n visibility: visible;\r\n transition: border 0.3s ease; /* Smooth transition effect */\r\n border-left: none;\r\n border-bottom: none; /* Apply bottom border to only last item */\r\n}\r\n\r\n.social-share-list-linkedin {\r\n background-color: #0474b4;\r\n border-top-right-radius: 5px; /* Rounded top right corner of first item*/\r\n}\r\n.social-share-list-facebook {\r\n background-color: #3c5c9c;\r\n}\r\n.social-share-list-xicon {\r\n background-color: #000;\r\n}\r\n.social-share-list-reddit {\r\n background-color: #fc4404;\r\n}\r\n.social-share-list-bluesky {\r\n background-color: #f0f2f5;\r\n}\r\n.social-share-list-rss {\r\n background-color: #ec7b1c;\r\n}\r\n.social-share-list-mail {\r\n background-color: #848484;\r\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last item*/\r\n}\r\n.sharing-options li.social-share-list-mail {\r\n border-bottom: 2px solid white; /* Add bottom border only to the last item */\r\n height: 52px; /* Increase last child height to make in align with the hover label */\r\n}\r\n.x-icon {\r\n filter: invert(100%);\r\n transition: filter 0.3s ease;\r\n width: 20px !important;\r\n height: auto;\r\n padding-top: 5px !important;\r\n}\r\n.bluesky-icon {\r\n filter: invert(20%) sepia(100%) saturate(3000%) hue-rotate(180deg);\r\n transition: filter 0.3s ease;\r\n padding-top: 5px !important;\r\n width: 25px !important;\r\n}\r\n\r\n.share-icon {\r\n border: 2px solid transparent;\r\n display: inline-block;\r\n position: relative;\r\n}\r\n\r\n.sharing-options li:hover {\r\n border: 2px solid white;\r\n border-left: none;\r\n border-bottom: none;\r\n border-radius: 0px;\r\n}\r\n.sharing-options li.social-share-list-mail:hover {\r\n border-bottom: 2px solid white; /* Add bottom border only to the last item */\r\n}\r\n\r\n.sharing-options li:hover .label {\r\n opacity: 1;\r\n visibility: visible;\r\n border: 2px solid white;\r\n box-sizing: border-box;\r\n border-left: none;\r\n}\r\n\r\n.label {\r\n position: absolute;\r\n left: 100%;\r\n white-space: nowrap;\r\n opacity: 0;\r\n visibility: hidden;\r\n transition: all 0.2s ease;\r\n color: white;\r\n border-radius: 0 10 0 10px;\r\n top: 50%;\r\n transform: translateY(-50%);\r\n height: 52px;\r\n display: flex;\r\n align-items: center;\r\n justify-content: center;\r\n padding: 10px 12px 15px 8px;\r\n border: 2px solid white;\r\n}\r\n.linkedin {\r\n background-color: #0474b4;\r\n border-top-right-radius: 5px; /* Rounded top right corner of first item*/\r\n}\r\n.facebook {\r\n background-color: #3c5c9c;\r\n}\r\n.twitter {\r\n background-color: black;\r\n color: white;\r\n}\r\n.reddit {\r\n background-color: #fc4404;\r\n}\r\n.mail {\r\n background-color: #848484;\r\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last item*/\r\n}\r\n.bluesky {\r\n background-color: #f0f2f5;\r\n color: black;\r\n}\r\n.rss {\r\n background-color: #ec7b1c;\r\n}\r\n\r\n@media (max-width: 991px) {\r\n .social-share {\r\n display: none;\r\n }\r\n}\r\n","texts":{"heading.whatsNew":"What's new","heading.store":"Microsoft Store","heading.education":"Education","heading.business":"Business","heading.developer":"Developer & IT","heading.company":"Company","link.whatsNew.surfacePro":"Surface Pro","aria.whatsNew.surfacePro":"Surface Pro What's new","link.whatsNew.surfaceLaptop":"Surface Laptop","aria.whatsNew.surfaceLaptop":"Surface Laptop What's new","link.whatsNew.surfaceLaptopStudio2":"Surface Laptop Studio 2","aria.whatsNew.surfaceLaptopStudio2":"Surface Laptop Studio 2 What's new","link.whatsNew.copilotOrganizations":"Copilot for organizations","aria.whatsNew.copilotOrganizations":"Copilot for organizations What's new","link.whatsNew.copilotPersonal":"Copilot for personal use","aria.whatsNew.copilotPersonal":"Copilot for personal use What's new","link.whatsNew.aiInWindows":"AI in Windows","aria.whatsNew.aiInWindows":"AI in Windows What's new","link.whatsNew.exploreProducts":"Explore Microsoft products","aria.whatsNew.exploreProducts":"Explore Microsoft products What's new","link.whatsNew.windows11Apps":"Windows 11 apps","aria.whatsNew.windows11Apps":"Windows 11 apps What's new","link.store.accountProfile":"Account profile","aria.store.accountProfile":"Account profile Microsoft Store","link.store.downloadCenter":"Download Center","aria.store.downloadCenter":"Download Center Microsoft Store","link.store.support":"Microsoft Store support","aria.store.support":"Microsoft Store support Microsoft Store","link.store.returns":"Returns","aria.store.returns":"Returns Microsoft Store","link.store.orderTracking":"Order tracking","aria.store.orderTracking":"Order tracking Microsoft Store","link.store.certifiedRefurbished":"Certified Refurbished","aria.store.certifiedRefurbished":"Certified Refurbished Microsoft Store","link.store.promise":"Microsoft Store Promise","aria.store.promise":"Microsoft Store Promise Microsoft Store","link.store.flexiblePayments":"Flexible Payments","aria.store.flexiblePayments":"Flexible Payments Microsoft Store","link.education.microsoftInEducation":"Microsoft in education","aria.education.microsoftInEducation":"Microsoft in education Education","link.education.devices":"Devices for education","aria.education.devices":"Devices for education Education","link.education.teams":"Microsoft Teams for Education","aria.education.teams":"Microsoft Teams for Education Education","link.education.m365":"Microsoft 365 Education","aria.education.m365":"Microsoft 365 Education Education","link.education.howToBuy":"How to buy for your school","aria.education.howToBuy":"How to buy for your school Education","link.education.training":"Educator training and development","aria.education.training":"Educator training and development Education","link.education.deals":"Deals for students and parents","aria.education.deals":"Deals for students and parents Education","link.education.ai":"AI for education","aria.education.ai":"AI for education Education","link.business.microsoftAi":"Microsoft AI","aria.business.microsoftAi":"Microsoft AI Business","link.business.security":"Microsoft Security","aria.business.security":"Microsoft Security Business","link.business.dynamics":"Dynamics 365","aria.business.dynamics":"Dynamics 365 https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 22 of 29 Business","link.business.m365":"Microsoft 365","aria.business.m365":"Microsoft 365 Business","link.business.powerPlatform":"Microsoft Power Platform","aria.business.powerPlatform":"Microsoft Power Platform Business","link.business.teams":"Microsoft Teams","aria.business.teams":"Microsoft Teams Business","link.business.m365Copilot":"Microsoft 365 Copilot","aria.business.m365Copilot":"Microsoft 365 Copilot Business","link.business.smallBusiness":"Small Business","aria.business.smallBusiness":"Small Business Business","link.developer.azure":"Azure","aria.developer.azure":"Azure Developer & IT","link.developer.developerCenter":"Microsoft Developer","aria.developer.developerCenter":"Microsoft Developer Developer & IT","link.developer.learn":"Microsoft Learn","aria.developer.learn":"Microsoft Learn Developer & IT","link.developer.aiMarketplace":"Support for AI marketplace apps","aria.developer.aiMarketplace":"Support for AI marketplace apps Developer & IT","link.developer.techCommunity":"Microsoft Tech Community","aria.developer.techCommunity":"Microsoft Tech Community Developer & IT","link.developer.marketplace":"Microsoft Marketplace","aria.developer.marketplace":"Microsoft Marketplace Developer & IT","link.developer.marketplaceRewards":"Marketplace Rewards","aria.developer.marketplaceRewards":"Marketplace Rewards Developer & IT","link.developer.visualStudio":"Visual Studio","aria.developer.visualStudio":"Visual Studio Developer & IT","link.company.careers":"Careers","aria.company.careers":"Careers Company","link.company.about":"About Microsoft","aria.company.about":"About Microsoft Company","link.company.news":"Company news","aria.company.news":"Company news Company","link.company.privacy":"Privacy at Microsoft","aria.company.privacy":"Privacy at Microsoft Company","link.company.investors":"Investors","aria.company.investors":"Investors Company","link.company.diversity":"Diversity and inclusion","aria.company.diversity":"Diversity and inclusion Company","link.company.accessibility":"Accessibility","aria.company.accessibility":"Accessibility Company","link.company.sustainability":"Sustainability","aria.company.sustainability":"Sustainability Company","ccpa.label":"Your Privacy Choices","consumerhealthprivacy.label":"Consumer Health Privacy","corp.sitemap":"Sitemap","corp.contact":"Contact Microsoft","corp.privacy":"Privacy","corp.manageCookies":"Manage cookies","corp.terms":"Terms of use","corp.trademarks":"Trademarks","corp.safetyEco":"Safety & eco","corp.recycling":"Recycling","corp.aboutAds":"About our ads","corp.microsoft":"Microsoft","social.linkedin.alt":"Share to LinkedIn","social.linkedin.label":"Share on LinkedIn","social.facebook.alt":"Share to Facebook","social.facebook.label":"Share on Facebook","social.x.alt":"Share to X","social.x.label":"Share on X","social.reddit.alt":"Share to Reddit","social.reddit.label":"Share on Reddit","social.bluesky.alt":"Share to Blue Sky","social.bluesky.label":"Share on Bluesky","social.rss.alt":"Subscribe to RSS","social.rss.label":"Share on RSS","social.email.alt":"Share to Email","social.email.label":"Share on Email"},"defaults":{"config":{"applicablePages":[],"description":"The Microsoft Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [],"__typename":"ComponentProperties"},"components": [{"id":"custom.widget.MicrosoftFooter","form":null,"config":null,"props": [],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config": {"applicablePages":[],"description":"The Microsoft Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props": [],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss": {"css":".custom_widget_MicrosoftFooter_context-uhf_qp4x5_1 {\r\n min-width: 17.5rem;\r\n font-size: 0.9375rem;\r\n box-sizing: border-box;\r\n -ms-text-size-adjust: 100%;\r\n -webkit-text-size-adjust: 100%;\r\n & *,\r\n & *:before,\r\n & *:after {\r\n box-sizing: inherit;\r\n }\r\n a.custom_widget_MicrosoftFooter_c-uhff-link_qp4x5_23 {\r\n color: #616161;\r\n word-break: break-word;\r\n text-decoration: none;\r\n }\r\n &a:link,\r\n &a:focus,\r\n &a:hover,\r\n &a:active,\r\n &a:visited {\r\n text-decoration: none;\r\n color: inherit;\r\n }\r\n & div {\r\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\r\n }\r\n}\r\n.custom_widget_MicrosoftFooter_c-uhff_qp4x5_23 {\r\n background: #f2f2f2;\r\n margin: -1.5625;\r\n width: auto;\r\n height: auto;\r\n}\r\n.custom_widget_MicrosoftFooter_c-uhff-nav_qp4x5_69 {\r\n margin: 0 auto;\r\n max-width: calc(100rem + 10%);\r\n padding: 0 5%;\r\n box-sizing: inherit;\r\n &:before,\r\n &:after {\r\n content: ' ';\r\n display: table;\r\n clear: left;\r\n }\r\n @media only screen and (max-width: 1083px) {\r\n padding-left: 0.75rem;\r\n }\r\n .custom_widget_MicrosoftFooter_c-heading-4_qp4x5_97 {\r\n color: #616161;\r\n word-break: break-word;\r\n font-size: 0.9375rem;\r\n line-height: 1.25rem;\r\n padding: 2.25rem 0 0.25rem;\r\n font-weight: 600;\r\n }\r\n .custom_widget_MicrosoftFooter_c-uhff-nav-row_qp4x5_113 {\r\n .custom_widget_MicrosoftFooter_c-uhff-nav-group_qp4x5_115 {\r\n display: block;\r\n float: left;\r\n min-height: 0.0625rem;\r\n vertical-align: text-top;\r\n padding: 0 0.75rem;\r\n width: 100%;\r\n zoom: 1;\r\n &:first-child {\r\n padding-left: 0;\r\n @media only screen and (max-width: 1083px) {\r\n padding-left: 0.75rem;\r\n }\r\n }\r\n @media only screen and (min-width: 540px) and (max-width: 1082px) {\r\n width: 33.33333%;\r\n }\r\n @media only screen and (min-width: 1083px) {\r\n width: 16.6666666667%;\r\n }\r\n ul.custom_widget_MicrosoftFooter_c-list_qp4x5_155.custom_widget_MicrosoftFooter_f-bare_qp4x5_155 {\r\n font-size: 0.6875rem;\r\n line-height: 1rem;\r\n margin-top: 0;\r\n margin-bottom: 0;\r\n padding-left: 0;\r\n list-style-type: none;\r\n li {\r\n word-break: break-word;\r\n padding: 0.5rem 0;\r\n margin: 0;\r\n }\r\n }\r\n }\r\n }\r\n}\r\n.custom_widget_MicrosoftFooter_c-uhff-base_qp4x5_187 {\r\n background: #f2f2f2;\r\n margin: 0 auto;\r\n max-width: calc(100rem + 10%);\r\n padding: 1.875rem 5% 1rem;\r\n &:before,\r\n &:after {\r\n content: ' ';\r\n display: table;\r\n }\r\n &:after {\r\n clear: both;\r\n }\r\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_qp4x5_213,\r\n a.custom_widget_MicrosoftFooter_c-uhff-consumer_qp4x5_215 {\r\n display: flex;\r\n float: left;\r\n font-size: 0.6875rem;\r\n line-height: 1rem;\r\n padding: 0.25rem https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 23 of 29 1.5rem 0 0;\r\n }\r\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_qp4x5_213:hover,\r\n a.custom_widget_MicrosoftFooter_c-uhff-consumer_qp4x5_215:hover {\r\n text-decoration: underline;\r\n }\r\n ul.custom_widget_MicrosoftFooter_c-list_qp4x5_155 {\r\n font-size: 0.6875rem;\r\n line-height: 1rem;\r\n float: right;\r\n margin: 0.1875rem 0;\r\n color: #616161;\r\n li {\r\n padding: 0 1.5rem 0.25rem 0;\r\n display: inline-block;\r\n }\r\n }\r\n .custom_widget_MicrosoftFooter_c-list_qp4x5_155.custom_widget_MicrosoftFooter_f-bare_qp4x5_155 {\r\n padding-left: 0;\r\n list-style-type: none;\r\n }\r\n @media only screen and (max-width: 1083px) {\r\n display: flex;\r\n flex-wrap: wrap;\r\n padding: 1.875rem 1.5rem 1rem;\r\n }\r\n}\r\n.custom_widget_MicrosoftFooter_social-share_qp4x5_281 {\r\n position: fixed;\r\n top: 60%;\r\n transform: translateY(-50%);\r\n left: 0;\r\n z-index: 1000;\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 {\r\n list-style: none;\r\n padding: 0;\r\n margin: 0;\r\n display: block;\r\n flex-direction: column;\r\n background-color: white;\r\n width: 3.125rem;\r\n border-radius: 0 0.4375rem 0.4375rem 0;\r\n}\r\n.custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317 {\r\n border-top-right-radius: 7px;\r\n}\r\n.custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317:hover {\r\n border-radius: 0;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-email-image_qp4x5_331:hover {\r\n border-radius: 0;\r\n}\r\n.custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339:hover .custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317 {\r\n border-radius: 0;\r\n}\r\n.custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339:hover .custom_widget_MicrosoftFooter_social-share-email-image_qp4x5_331 {\r\n border-radius: 0;\r\n}\r\n.custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339 img {\r\n width: 1.875rem;\r\n height: auto;\r\n transition: filter 0.3s ease;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list_qp4x5_365 {\r\n width: 3.125rem;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-rss-image_qp4x5_371 {\r\n width: 1.875rem;\r\n height: auto;\r\n transition: filter 0.3s ease;\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li {\r\n width: 3.125rem;\r\n height: 3.125rem;\r\n padding: 0.5rem;\r\n box-sizing: border-box;\r\n border: 2px solid white;\r\n display: inline-block;\r\n text-align: center;\r\n opacity: 1;\r\n visibility: visible;\r\n transition: border 0.3s ease; /* Smooth transition effect */\r\n border-left: none;\r\n border-bottom: none; /* Apply bottom border to only last item */\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-linkedin_qp4x5_411 {\r\n background-color: #0474b4;\r\n border-top-right-radius: 5px; /* Rounded top right corner of first item*/\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-facebook_qp4x5_419 {\r\n background-color: #3c5c9c;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-xicon_qp4x5_425 {\r\n background-color: #000;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-reddit_qp4x5_431 {\r\n background-color: #fc4404;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-bluesky_qp4x5_437 {\r\n background-color: #f0f2f5;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-rss_qp4x5_443 {\r\n background-color: #ec7b1c;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449 {\r\n background-color: #848484;\r\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last item*/\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li.custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449 {\r\n border-bottom: 2px solid white; /* Add bottom border only to the last item */\r\n height: 3.25rem; /* Increase last child height to make in align with the hover label */\r\n}\r\n.custom_widget_MicrosoftFooter_x-icon_qp4x5_465 {\r\n filter: invert(100%);\r\n transition: filter 0.3s ease;\r\n width: 1.25rem !important;\r\n height: auto;\r\n padding-top: 0.3125rem !important;\r\n}\r\n.custom_widget_MicrosoftFooter_bluesky-icon_qp4x5_479 {\r\n filter: invert(20%) sepia(100%) saturate(3000%) hue-rotate(180deg);\r\n transition: filter 0.3s ease;\r\n padding-top: 0.3125rem !important;\r\n width: 1.5625rem !important;\r\n}\r\n.custom_widget_MicrosoftFooter_share-icon_qp4x5_493 {\r\n border: 2px solid transparent;\r\n display: inline-block;\r\n position: relative;\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li:hover {\r\n border: 2px solid white;\r\n border-left: none;\r\n border-bottom: none;\r\n border-radius: 0;\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li.custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449:hover {\r\n border-bottom: 2px solid white; /* Add bottom border only to the last item */\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li:hover .custom_widget_MicrosoftFooter_label_qp4x5_525 {\r\n opacity: 1;\r\n visibility: visible;\r\n border: 2px solid white;\r\n box-sizing: border-box;\r\n border-left: none;\r\n}\r\n.custom_widget_MicrosoftFooter_label_qp4x5_525 {\r\n position: absolute;\r\n left: 100%;\r\n white-space: nowrap;\r\n opacity: 0;\r\n visibility: hidden;\r\n transition: all 0.2s ease;\r\n color: white;\r\n border-radius: 0 10 0 0.625rem;\r\n top: 50%;\r\n transform: translateY(-50%);\r\n height: 3.25rem;\r\n display: flex;\r\n align-items: center;\r\n justify-content: center;\r\n padding: 0.625rem 0.75rem 0.9375rem 0.5rem;\r\n border: 2px solid white;\r\n}\r\n.custom_widget_MicrosoftFooter_linkedin_qp4x5_317 {\r\n background-color: #0474b4;\r\n border-top-right-radius: 5px; /* Rounded top right corner of first item*/\r\n}\r\n.custom_widget_MicrosoftFooter_facebook_qp4x5_585 {\r\n background-color: #3c5c9c;\r\n}\r\n.custom_widget_MicrosoftFooter_twitter_qp4x5_591 {\r\n background-color: black;\r\n color: white;\r\n}\r\n.custom_widget_MicrosoftFooter_reddit_qp4x5_599 {\r\n background-color: #fc4404;\r\n}\r\n.custom_widget_MicrosoftFooter_mail_qp4x5_605 {\r\n background-color: #848484;\r\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last item*/\r\n}\r\n.custom_widget_MicrosoftFooter_bluesky_qp4x5_479 {\r\n background-color: #f0f2f5;\r\n color: black;\r\n}\r\n.custom_widget_MicrosoftFooter_rss_qp4x5_621 {\r\n background-color: #ec7b1c;\r\n}\r\n@media (max-width: 991px) {\r\n .custom_widget_MicrosoftFooter_social-share_qp4x5_281 {\r\n display: none;\r\n }\r\n}\r\n","tokens": {"context-uhf":"custom_widget_MicrosoftFooter_context-uhf_qp4x5_1","c-uhff-link":"custom_widget_MicrosoftFooter_c-uhff-link_qp4x5_23","c-uhff":"custom_widget_MicrosoftFooter_c-uhff_qp4x5_23","c-uhff-nav":"custom_widget_MicrosoftFooter_c-uhff-nav_qp4x5_69","c-heading-4":"custom_widget_MicrosoftFooter_c-heading-4_qp4x5_97","c-uhff-nav-row":"custom_widget_MicrosoftFooter_c-uhff-nav-row_qp4x5_113","c-uhff-nav-group":"custom_widget_MicrosoftFooter_c-uhff-nav-group_qp4x5_115","c-list":"custom_widget_MicrosoftFooter_c-https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 24 of 29 list_qp4x5_155","f-bare":"custom_widget_MicrosoftFooter_f-bare_qp4x5_155","c-uhff-base":"custom_widget_MicrosoftFooter_c-uhff-base_qp4x5_187","c-uhff-ccpa":"custom_widget_MicrosoftFooter_c-uhff-ccpa_qp4x5_213","c-uhff-consumer":"custom_widget_MicrosoftFooter_c-uhff-consumer_qp4x5_215","social-share":"custom_widget_MicrosoftFooter_social-share_qp4x5_281","sharing-options":"custom_widget_MicrosoftFooter_sharing-options_qp4x5_297","linkedin-icon":"custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317","social-share-email-image":"custom_widget_MicrosoftFooter_social-share-email-image_qp4x5_331","social-link-footer":"custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339","social-share-list":"custom_widget_MicrosoftFooter_social-share-list_qp4x5_365","social-share-rss-image":"custom_widget_MicrosoftFooter_social-share-rss-image_qp4x5_371","social-share-list-linkedin":"custom_widget_MicrosoftFooter_social-share-list-linkedin_qp4x5_411","social-share-list-facebook":"custom_widget_MicrosoftFooter_social-share-list-facebook_qp4x5_419","social-share-list-xicon":"custom_widget_MicrosoftFooter_social-share-list-xicon_qp4x5_425","social-share-list-reddit":"custom_widget_MicrosoftFooter_social-share-list-reddit_qp4x5_431","social-share-list-bluesky":"custom_widget_MicrosoftFooter_social-share-list-bluesky_qp4x5_437","social-share-list-rss":"custom_widget_MicrosoftFooter_social-share-list-rss_qp4x5_443","social-share-list-mail":"custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449","x-icon":"custom_widget_MicrosoftFooter_x-icon_qp4x5_465","bluesky-icon":"custom_widget_MicrosoftFooter_bluesky-icon_qp4x5_479","share-icon":"custom_widget_MicrosoftFooter_share-icon_qp4x5_493","label":"custom_widget_MicrosoftFooter_label_qp4x5_525","linkedin":"custom_widget_MicrosoftFooter_linkedin_qp4x5_317","faceb components/community/Breadcrumb-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-components/community/Breadcrumb-1775111751244","value":{"navLabel":"Breadcrumbs","dropdown":"Additional parent page navigation"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBanner-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBanner-1775111751244","value":{"messageMarkedAsSpam":"This post has been marked as spam","messageMarkedAsSpam@board:TKB":"This article has been marked as spam","messageMarkedAsSpam@board:BLOG":"This post has been marked as spam","messageMarkedAsSpam@board:FORUM":"This discussion has been marked as spam","messageMarkedAsSpam@board:OCCASION":"This event has been marked as spam","messageMarkedAsSpam@board:IDEA":"This idea has been marked as spam","manageSpam":"Manage Spam","messageMarkedAsAbuse":"This post has been marked as abuse","messageMarkedAsAbuse@board:TKB":"This article has been marked as abuse","messageMarkedAsAbuse@board:BLOG":"This post has been marked as abuse","messageMarkedAsAbuse@board:FORUM":"This discussion has been marked as abuse","messageMarkedAsAbuse@board:OCCASION":"This event has been marked as abuse","messageMarkedAsAbuse@board:IDEA":"This idea has been marked as abuse","preModCommentAuthorText":"This comment will be published as soon as it is approved","preModCommentModeratorText":"This comment is awaiting moderation","messageMarkedAsOther":"This post has been rejected due to other reasons","messageMarkedAsOther@board:TKB":"This article has been rejected due to other reasons","messageMarkedAsOther@board:BLOG":"This post has been rejected due to other reasons","messageMarkedAsOther@board:FORUM":"This discussion has been rejected due to other reasons","messageMarkedAsOther@board:OCCASION":"This event has been rejected due to other reasons","messageMarkedAsOther@board:IDEA":"This idea has been rejected due to other reasons","messageArchived":"This post was archived on {date}","relatedUrl":"View Related Content","relatedContentText":"Showing related content","archivedContentLink":"View Archived Content"},"localOverride":false},"Category:category:Exchange": {"__typename":"Category","id":"category:Exchange","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:Outlook": {"__typename":"Category","id":"category:Outlook","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:Community-Info-Center": {"__typename":"Category","id":"category:Community-Info-Center","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:EducationSector": {"__typename":"Category","id":"category:EducationSector","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:DrivingAdoption": {"__typename":"Category","id":"category:DrivingAdoption","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:Azure": {"__typename":"Category","id":"category:Azure","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows-Server": {"__typename":"Category","id":"category:Windows-Server","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftTeams": https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 25 of 29 {"__typename":"Category","id":"category:MicrosoftTeams","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:PublicSector": {"__typename":"Category","id":"category:PublicSector","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft365": {"__typename":"Category","id":"category:microsoft365","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:IoT": {"__typename":"Category","id":"category:IoT","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:HealthcareAndLifeSciences": {"__typename":"Category","id":"category:HealthcareAndLifeSciences","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:ITOpsTalk": {"__typename":"Category","id":"category:ITOpsTalk","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftMechanics": {"__typename":"Category","id":"category:MicrosoftMechanics","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftforNonprofits": {"__typename":"Category","id":"category:MicrosoftforNonprofits","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:PartnerCommunity": {"__typename":"Category","id":"category:PartnerCommunity","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:Microsoft365Copilot": {"__typename":"Category","id":"category:Microsoft365Copilot","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows": {"__typename":"Category","id":"category:Windows","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:Content_Management": {"__typename":"Category","id":"category:Content_Management","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:CommunityNewsDesk": {"__typename":"Category","id":"category:CommunityNewsDesk","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft-learn-for-educators": {"__typename":"Category","id":"category:microsoft-learn-for-educators","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:mvp": {"__typename":"Category","id":"category:mvp","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoftintune": {"__typename":"Category","id":"category:microsoftintune","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft-global-community-initiative": {"__typename":"Category","id":"category:microsoft-global-community-initiative","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:usergroups": {"__typename":"Category","id":"category:usergroups","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Category:category:skills-hub": {"__typename":"Category","id":"category:skills-hub","categoryPolicies": {"__typename":"CategoryPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"Blog:board:skills-hub-blog": {"__typename":"Blog","id":"board:skills-hub-blog","blogPolicies":{"__typename":"BlogPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode": {"__typename":"PolicyResult","failureReason":null}}},"CachedAsset:text:en_US-components/community/Navbar-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-components/community/Navbar-1775111751244","value":{"community":"Community Home","inbox":"Inbox","manageContent":"Manage Content","tos":"Terms of Service","forgotPassword":"Forgot Password","themeEditor":"Theme Editor","edit":"Edit Navigation Bar","skipContent":"Skip to content","gxcuf89792":"Tech Community","windows-server":"Windows Server","ms-learn-ext-security":"Microsoft Security","Common_Enntvz-i-t-ops-talk-link":"ITOps Talk","education-sector":"Education Sector","Common-external-link-9":"Microsoft 365","Common-external-link-8":"Dynamics https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 26 of 29 365","Common-external-link-7":"Skilling Room Directory","Common-external-link-6":"Events","Common-external-link-5":"Blogs","Common-external-link-4":"View All","Common-gxcuf89792-community":"Community","Common-external-link-3":"Topics","microsoft365":"Microsoft 365","Common_Enntvz-community-news-desk-link":"Community News Desk","Common_Enntvz-azure-link":"Azure","Common-community-info-center-link":"Lounge","azure":"Azure","Common_Enntvz-windows-link":"Windows","Common_Enntvz-education-sector-link":"Education Sector","Common-windows-server-link":"Windows Server","products-link":"Products","Common_Enntvz-partner-community-link":"Microsoft Partner Community","microsoft-learn-blog":"Blog","Common-external-link-2":"View All","community-hub-link":"Community Hubs","Common-mvp-link":"Microsoft MVP Program","community-info-center":"Lounge","microsoft-endpoint-manager":"Microsoft Intune","startupsat-microsoft":"Startups at Microsoft","ms-learn-ext-azure":"Azure","Common_Enntvz-content_management-link":"Content Management","ms-learn-ext-github":"Github","Common-microsoft365- link":"Microsoft 365","Common-i-t-ops-talk-link":"ITOps Talk","Common_Enntvz-view-all-products-link":"View All","Common-microsoft-global-community-initiative-link":"Microsoft Global Community Initiative (MGCI)","all-events-link":"Events","Common_Enntvz-microsoft-learn-for-educators-link":"Microsoft Learn for Educators","Common-external-link":"Community Hubs","Common-partner-community-link":"Microsoft Partner Community","Common-microsoft-learn-for-educators-link":"Microsoft Learn for Educators","Common_Enntvz-microsoft-teams-link":"Microsoft Teams","driving-adoption":"Driving Adoption","microsoft-learn":"Microsoft Learn","Common-healthcare-and-life-sciences-link":"Healthcare and Life Sciences","planner":"Outlook","Common_Enntvz-exchange-link":"Exchange","healthcare-and-life-sciences":"Healthcare and Life Sciences","Common-external-link-10":"View All","Common-driving-adoption-link":"Driving Adoption","ms-learn-ext-pp":"Power Platform","Common_Enntvz-windows-server-link":"Windows Server","Common-io-t-link":"Internet of Things (IoT)","Skills-Hub":"Skills Hub","microsoft-teams":"Microsoft Teams","Common-outlook-link":"Outlook","Common_Enntvz-public-sector-link":"Public Sector","Common-windows-link":"Windows","all-blogs-link":"Blogs","communities":"Products","Common_Enntvz-usergroups-link":"User Groups","Common_Enntvz-microsoft-global-community-initiative-link":"Microsoft Global Community Initiative (MGCI)","Skills-Hub-link":"Community","Common_Enntvz-io-t-link":"Internet of Things (IoT)","ms-learn-ext-m365":"Microsoft 365","Common_Enntvz-microsoft-mechanics-link":"Microsoft Mechanics","microsoft-learn-community":"Community","partner-community":"Microsoft Partner Community","Common-microsoft-mechanics-link":"Microsoft Mechanics","Common_Enntvz-healthcare-and-life-sciences-link":"Healthcare and Life Sciences","microsoft-mechanics":"Microsoft Mechanics","Common-microsoft-security-link":"Microsoft Security","Common-education-sector-link":"Education Sector","Skills-Hub-Blog":"Blog","i-t-ops-talk":"ITOps Talk","microsoft-securityand-compliance":"Microsoft Security","Common_Enntvz-microsoftintune-link":"Microsoft Intune","Common-azure-link":"Azure","Common-microsoftintune-link":"Microsoft Intune","Common_Enntvz-view-all-topics-link":"View All","Common-usergroups-link":"User Groups","Common-public-sector-link":"Public Sector","Common_Enntvz-microsoft-security-link":"Microsoft Security","Common_Enntvz-outlook-link":"Outlook","Common_Enntvz-mvp-link":"Microsoft MVP Program","exchange":"Exchange","topics-link":"Topics","io-t":"Internet of Things (IoT)","Common-microsoft365-copilot-link":"Microsoft 365 Copilot","Common-microsoft-teams-link":"Microsoft Teams","s-m-b":"Nonprofit Community","Common_Enntvz-community-info-center-link":"Lounge","Common_Enntvz-microsoft365-copilot-link":"Microsoft 365 Copilot","Common_Enntvz-microsoftfor-nonprofits-link":"Nonprofit Community","Common_Enntvz-microsoft365-link":"Microsoft 365","Common-content_management-link":"Content Management","ms-learn-ext-teams":"Teams","s-q-l-server":"Content Management","products-services":"Products","Common-community-news-desk-link":"Community News Desk","ms-learn-ext-LD":"Skilling Room Directory","Common-exchange-link":"Exchange","Common-gxcuf89792-link":"Tech Community","windows":"Windows","public-sector":"Public Sector","Common_Enntvz-driving-adoption-link":"Driving Adoption","Common-microsoftfor-nonprofits-link":"Nonprofit Community","ms-learn-ext-net":".NET","ms-learn-ext-dynamics":"Dynamics 365","a-i":"AI and Machine Learning","outlook":"Microsoft 365 Copilot"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarHamburgerDropdown-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarHamburgerDropdown-1775111751244","value":{"hamburgerLabelOpen":"Open Side Menu","hamburgerLabelClose":"Close Side Menu"},"localOverride":false},"CachedAsset:text:en_US-components/community/BrandLogo-1775111751244": {"__typename":"CachedAsset","id":"text:en_US-components/community/BrandLogo-1775111751244","value": {"logoAlt":"Khoros","themeLogoAlt":"Brand Logo","linkAriaLabel":"Go to community home page"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarTextLinks-1775111751244": {"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarTextLinks-1775111751244","value": {"more":"More"},"localOverride":false},"CachedAsset:text:en_US-components/search/SpotlightSearchIcon-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-components/search/SpotlightSearchIcon-1775111751244","value":{"search":"Search"},"localOverride":false},"CachedAsset:text:en_US-components/authentication/AuthenticationLink-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-components/authentication/AuthenticationLink-1775111751244","value":{"title.login":"Sign In","title.registration":"Register","title.forgotPassword":"Forgot Password","title.multiAuthLogin":"Sign In"},"localOverride":false},"CachedAsset:text:en_US-components/nodes/NodeLink-1775111751244": {"__typename":"CachedAsset","id":"text:en_US-components/nodes/NodeLink-1775111751244","value":{"place":"Go back to {name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageView/MessageViewStandard-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageView/MessageViewStandard-1775111751244","value": https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 27 of 29 {"anonymous":"Anonymous","author":"{messageAuthorLogin}","authorBy":"{messageAuthorLogin}","board":" {messageBoardTitle}","replyToUser":" to {parentAuthor}","showMoreReplies":"Show More","replyText":"Reply","repliesText":"Replies","markedAsSolved":"Marked as Solution","messageStatus":"Status: ","statusChanged":"Status changed: {previousStatus} to {currentStatus}","statusAdded":"Status added: {status}","statusRemoved":"Status removed: {status}","labelExpand":"expand replies","labelCollapse":"collapse replies","unhelpfulReason.reason1":"Content is outdated","unhelpfulReason.reason2":"Article is missing information","unhelpfulReason.reason3":"Content is for a different Product","unhelpfulReason.reason4":"Doesn't match what I was searching for"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyCallToAction-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyCallToAction-1775111751244","value":{"leaveReply":"Leave a reply...","leaveReply@board:BLOG@message:root":"Leave a comment...","leaveReply@board:TKB@message:root":"Leave a comment...","leaveReply@board:IDEA@message:root":"Leave a comment...","leaveReply@board:OCCASION@message:root":"Leave a comment...","repliesTurnedOff.FORUM":"Replies are turned off for this topic","repliesTurnedOff.BLOG":"Comments are turned off for this topic","repliesTurnedOff.TKB":"Comments are turned off for this topic","repliesTurnedOff.IDEA":"Comments are turned off for this topic","repliesTurnedOff.OCCASION":"Comments are turned off for this topic","infoText":"Stop poking me!"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarDropdownToggle-1775111751244","value":{"ariaLabelClosed":"Press the down arrow to open the menu"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageCoverImage-1775111751244": {"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageCoverImage-1775111751244","value": {"coverImageTitle":"Cover Image"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeTitle-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeTitle-1775111751244","value":{"nodeTitle":"{nodeTitle, select, community {Community} other {{nodeTitle}}} "},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTimeToRead-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTimeToRead-1775111751244","value":{"minReadText":"{min} MIN READ"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageSubject-1775111751244": {"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageSubject-1775111751244","value": {"noSubject":"(no subject)"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserLink-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserLink-1775111751244","value": {"authorName":"View Profile: {author}","anonymous":"Anonymous","ariaLabel.rank":"Rank: {rankName}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserRank-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserRank-1775111751244","value":{"rankName":"{rankName}","userRank":"Author rank {rankName}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTime-1775111751244": {"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTime-1775111751244","value": {"postTime":"Published: {time}","lastPublishTime":"Last Update: {time}","conversation.lastPostingActivityTime":"Last posting activity time: {time}","conversation.lastPostTime":"Last post time: {time}","moderationData.rejectTime":"Rejected time: {time}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBody-1775111751244": {"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBody-1775111751244","value": {"showMessageBody":"Show More","mentionsErrorTitle":"{mentionsType, select, board {Board} user {User} message {Message} other {}} No Longer Available","mentionsErrorMessage":"The {mentionsType} you are trying to view has been removed from the community.","videoProcessing":"Video is being processed. Please try again in a few minutes.","bannerTitle":"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the provider's site.","buttonTitle":"Accept","urlText":"watch"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageCustomFields-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageCustomFields-1775111751244","value":{"CustomField.default.label":"Value of {name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageRevision-1775111751244": {"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageRevision-1775111751244","value": {"lastUpdatedDatePublished":"{publishCount, plural, one{Published} other{Updated}} {date}","lastUpdatedDateDraft":"Created {date}","version":"Version {major}. {minor}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/QueryHandler-1775111751244","value":{"title":"Query Handler"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagList-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagList-1775111751244","value":{"showMoreFor":"Show more for {title}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyButton-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyButton-1775111751244","value":{"repliesCount":" {count}","title":"Reply","title@board:BLOG@message:root":"Comment","title@board:TKB@message:root":"Comment","title@board:IDEA@message: components/messages/MessageAuthorBio-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageAuthorBio-1775111751244","value":{"sendMessage":"Send Message","actionMessage":"Follow this blog board to get notified when there's new activity","coAuthor":"CO-https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 28 of 29 PUBLISHER","contributor":"CONTRIBUTOR","userProfile":"View Profile","iconlink":"Go to {name} {type}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1775111751244": {"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserAvatar-1775111751244","value": {"altText":"{login}'s avatar","altTextGeneric":"User's avatar"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/ranks/UserRankLabel-1775111751244","value":{"altTitle":"Icon for {rankName} rank"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserRegistrationDate-1775111751244": {"__typename":"CachedAsset","id":"text:en_US-components/users/UserRegistrationDate-1775111751244","value": {"noPrefix":"{date}","withPrefix":"Joined {date}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeAvatar-1775111751244","value":{"altTitle":"Node avatar for {nodeTitle}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeDescription-1775111751244","value":{"description":"{description}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1775111751244":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeIcon-1775111751244","value":{"contentType":"Content Type {style, select, FORUM {Forum} BLOG {Blog} TKB {Knowledge Base} IDEA {Ideas} OCCASION {Events} other {}} icon"},"localOverride":false}}}},"page":"/blogs/BlogMessagePage/BlogMessagePage","query": {"boardId":"microsoftsentinelblog","messageSubject":"web-shell-threat-hunting-with-azure-sentinel","messageId":"2234968"},"buildId":"VXuOn2D5MfObWEiRanLQ9","runtimeConfig": {"buildInformationVisible":false,"logLevelApp":"info","logLevelMetrics":"info","surveysEnabled":true,"openTelemetry": {"clientEnabled":false,"configName":"o365","serviceVersion":"26.1.0","universe":"prod","collector":"http://localhost:4318","logLevel":"error","routeCha ["components_community_Navbar_NavbarWidget","components_community_Breadcrumb_BreadcrumbWidget","components_customComponent_Custo [{"id":"analytics","src":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/pagescripts/1751476272000/analytics.js? page.id=BlogMessagePage&entity.id=board%3Amicrosoftsentinelblog&entity.id=message%3A2234968","strategy":"afterInteractive"}]} Source: https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968 Page 29 of 29