Hunts Webshell deployments on internet-facing servers by analyzing web directory file creations, web server process anomalies, and HTTP patterns. Useful for threat hunting, incident response, and security assessments.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 主动狩猎环境中 Webshell 活动指标时
Hunts webshell deployments on servers by analyzing web directory file creations, web server process spawns, and anomalous HTTP patterns using EDR and SIEM tools.
Hunts for web shell deployments on internet-facing servers by analyzing file creation in web directories, suspicious process spawning from web servers, and anomalous HTTP patterns. Useful for threat hunting and incident response.
Detects webshells in web servers by scanning high-entropy files, suspicious PHP/JSP/ASP patterns (eval, base64_decode, system, passthru), recent web root modifications, and abnormal file sizes using Shannon entropy and regex.
Share bugs, ideas, or general feedback.
| 概念 | 描述 |
|---|---|
| T1505.003 | Web Shell |
| T1190 | 利用面向公众的应用程序 |
| T1059.001 | PowerShell |
| 工具 | 用途 |
|---|---|
| CrowdStrike Falcon | EDR 遥测和威胁检测 |
| Microsoft Defender for Endpoint | 基于 KQL 的高级狩猎 |
| Splunk Enterprise | 使用 SPL 查询的 SIEM 日志分析 |
| Elastic Security | 检测规则和调查时间线 |
| Sysmon | 详细的 Windows 事件监控 |
| Velociraptor | 终端工件收集和狩猎 |
| Sigma Rules | 跨平台检测规则格式 |
狩猎 ID:TH-HUNTIN-[日期]-[序号]
技术:T1505.003
主机:[主机名]
用户:[账户上下文]
证据:[日志条目、进程树、网络数据]
风险等级:[严重/高/中/低]
置信度:[高/中/低]
建议措施:[遏制、调查、监控]