Asr Web Shell On Server Audited Query
Query
DeviceEvents
| where ActionType == 'AsrWebShellOnServerAudited'About this query
Rule : Web shell Detection on exchange servers with ASR
Description
This query detects events where a web shell on a server has been audited by the Advanced Security Audit Policy (ASR). Web shells are malicious scripts that enable remote administration on web servers, often used by attackers for persistent access and to execute arbitrary commands.
Detection Logic
Monitors DeviceEvents for occurrences where the ActionType is 'AsrWebShellOnServerAudited'.
Tags
- ASR
- Web Shell
- Server Security
- Auditing
Search Query
Explanation
Summary of the Query
Purpose
This query is designed to detect web shells on Exchange servers by leveraging the Advanced Security Audit Policy (ASR).
What It Does
- Monitors Security Events: It looks at device events to find instances where a web shell has been audited.
- Specific Action Type: It specifically searches for events where the
ActionTypeis'AsrWebShellOnServerAudited'.
Why It Matters
Web shells are malicious scripts used by attackers to gain persistent access and execute commands on web servers. Detecting these can help in identifying and mitigating potential security breaches.
Query Breakdown
DeviceEvents
| where ActionType == 'AsrWebShellOnServerAudited'
- DeviceEvents: The dataset containing various device-related events.
- Filter Condition: The query filters these events to only include those where the
ActionTypeis'AsrWebShellOnServerAudited'.
Tags
- ASR: Advanced Security Audit Policy
- Web Shell: Malicious scripts for remote administration
- Server Security: Focus on securing servers
- Auditing: Monitoring and logging security-related events
This query helps in identifying potential security threats by detecting web shells on Exchange servers using ASR auditing.
Details

Ali Hussein
Released: July 18, 2024
Tables
Keywords
Operators