Query Details
Webshell Posts
Query
//Looking for suspicious posts W3CIISLog | where csUriStem == "/autodiscover/autodiscover.json" | where csUriQuery has "PowerShell" | where csMethod == "POST"
Explanation
This query is searching for suspicious posts in the W3CIISLog. It filters the logs to find entries where the csUriStem is "/autodiscover/autodiscover.json", the csUriQuery contains the word "PowerShell", and the csMethod is "POST".
Details
Rod Trent
Released: August 13, 2021
Tables
W3CIISLog
Keywords
W3CIISLog,csUriStem,csUriQuery,PowerShell,csMethod,POST
Operators
| summarize count() by csUriStemcsUriQuerycsMethod