Asr Web Shell On Server Audited Query

## Rule : Web shell Detection on exchange servers with ASR ### Description This query detects events where a web shell on a server has been audited by the Advanced Security Audit Policy (ASR). Web shells are malicious scripts that enable remote administration on web servers, often used by attackers for persistent access and to execute arbitrary commands. - [Microsoft documentation on ASR](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings) ### Detection Logic Monitors `DeviceEvents` for occurrences where the `ActionType` is `'AsrWebShellOnServerAudited'`. ### Tags - ASR - Web Shell - Server Security - Auditing ### Search Query ```kql DeviceEvents | where ActionType == 'AsrWebShellOnServerAudited' ```

Explanation

Summary of the Query

Purpose

This query is designed to detect web shells on Exchange servers by leveraging the Advanced Security Audit Policy (ASR).

What It Does

Monitors Security Events: It looks at device events to find instances where a web shell has been audited.
Specific Action Type: It specifically searches for events where the ActionType is 'AsrWebShellOnServerAudited'.

Why It Matters

Web shells are malicious scripts used by attackers to gain persistent access and execute commands on web servers. Detecting these can help in identifying and mitigating potential security breaches.

Query Breakdown

DeviceEvents
| where ActionType == 'AsrWebShellOnServerAudited'

DeviceEvents: The dataset containing various device-related events.
Filter Condition: The query filters these events to only include those where the ActionType is 'AsrWebShellOnServerAudited'.

KQL Search