Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Identify SysAid Server web shell creation

RulenameIdentify SysAid Server web shell creation
DescriptionThis query looks for potential webshell creation by the threat actor Mercury after the sucessful exploitation of SysAid server.

Required data connectorsMicrosoftThreatProtection
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Uri Shells Threat Protection/Analytic Rules/PotentialMercury_Webshell.yaml
Arm template50eb4cbd-188f-44f4-b964-bab84dcdec10.json
Deploy To Azure
let timeframe = 1d;
let time_window = 5m;
(union isfuzzy=true
| where TimeGenerated > ago(timeframe)
| where EventID == 4688
| where Process has_any ("java.exe", "javaw.exe") and CommandLine has "SysAidServer" 
| summarize by ParentProcessName,Process, Account, Computer, CommandLine, timekey= bin(TimeGenerated, time_window), TimeGenerated, SubjectLogonId
| join kind=inner(
| where TimeGenerated > ago(timeframe)
| where EventID == 4663
| where Process has_any ("java.exe", "javaw.exe")
| where AccessMask in ('0x2','0x100', '0x10', '0x4')
| where ObjectName endswith ".jsp" 
| summarize by ParentProcessName, Account, Computer, ObjectName, ProcessName, timekey= bin(TimeGenerated, time_window), TimeGenerated, SubjectLogonId)
 on timekey, Computer, SubjectLogonId
| where InitiatingProcessFileName has_any ("java.exe", "javaw.exe")  
| where InitiatingProcessCommandLine has "SysAidServer"  
| where FileName endswith ".jsp" 
| extend Account = strcat(InitiatingProcessAccountDomain, @'\', InitiatingProcessAccountName), Computer = DeviceName
| where TimeGenerated > ago(timeframe)
| where EventType == "FileCreated"
| where ActingProcessName has_any ("java.exe", "javaw.exe") 
| where ActingProcessCommandLine has "SysAidServer"  
| where FilePath endswith ".jsp" 
| extend Account = ActorUsername, Computer = DvcHostname
| extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
- T1190
queryPeriod: 1d
- InitialAccess
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
- dataTypes:
  - DeviceFileEvents
  connectorId: MicrosoftThreatProtection
triggerThreshold: 0
- fieldMappings:
  - identifier: FullName
    columnName: Account
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountNTDomain
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: HostNameDomain
  entityType: Host
name: Identify SysAid Server web shell creation
- Mercury
- Schema: ASIMFileEvent
  SchemaVersion: 0.1.0
query: |
  let timeframe = 1d;
  let time_window = 5m;
  (union isfuzzy=true
  | where TimeGenerated > ago(timeframe)
  | where EventID == 4688
  | where Process has_any ("java.exe", "javaw.exe") and CommandLine has "SysAidServer" 
  | summarize by ParentProcessName,Process, Account, Computer, CommandLine, timekey= bin(TimeGenerated, time_window), TimeGenerated, SubjectLogonId
  | join kind=inner(
  | where TimeGenerated > ago(timeframe)
  | where EventID == 4663
  | where Process has_any ("java.exe", "javaw.exe")
  | where AccessMask in ('0x2','0x100', '0x10', '0x4')
  | where ObjectName endswith ".jsp" 
  | summarize by ParentProcessName, Account, Computer, ObjectName, ProcessName, timekey= bin(TimeGenerated, time_window), TimeGenerated, SubjectLogonId)
   on timekey, Computer, SubjectLogonId
  | where InitiatingProcessFileName has_any ("java.exe", "javaw.exe")  
  | where InitiatingProcessCommandLine has "SysAidServer"  
  | where FileName endswith ".jsp" 
  | extend Account = strcat(InitiatingProcessAccountDomain, @'\', InitiatingProcessAccountName), Computer = DeviceName
  | where TimeGenerated > ago(timeframe)
  | where EventType == "FileCreated"
  | where ActingProcessName has_any ("java.exe", "javaw.exe") 
  | where ActingProcessCommandLine has "SysAidServer"  
  | where FilePath endswith ".jsp" 
  | extend Account = ActorUsername, Computer = DvcHostname
  | extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)  
queryFrequency: 1d
id: 50eb4cbd-188f-44f4-b964-bab84dcdec10
severity: High
description: |
  'This query looks for potential webshell creation by the threat actor Mercury after the sucessful exploitation of SysAid server. 
    kind: Scheduled
    - Security - Others
    tier: Community
    name: Microsoft Security Research
version: 1.0.2
OriginalUri: Shells Threat Protection/Analytic Rules/PotentialMercury_Webshell.yaml
kind: Scheduled
triggerOperator: gt
  "$schema": "",
  "contentVersion": "",
  "parameters": {
    "workspace": {
      "type": "String"
  "resources": [
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/50eb4cbd-188f-44f4-b964-bab84dcdec10')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/50eb4cbd-188f-44f4-b964-bab84dcdec10')]",
      "properties": {
        "alertRuleTemplateName": "50eb4cbd-188f-44f4-b964-bab84dcdec10",
        "customDetails": null,
        "description": "'This query looks for potential webshell creation by the threat actor Mercury after the sucessful exploitation of SysAid server. \nReference:'\n",
        "displayName": "Identify SysAid Server web shell creation",
        "enabled": true,
        "entityMappings": [
            "entityType": "Account",
            "fieldMappings": [
                "columnName": "Account",
                "identifier": "FullName"
                "columnName": "AccountName",
                "identifier": "Name"
                "columnName": "AccountNTDomain",
                "identifier": "NTDomain"
            "entityType": "Host",
            "fieldMappings": [
                "columnName": "Computer",
                "identifier": "FullName"
                "columnName": "HostName",
                "identifier": "HostName"
                "columnName": "HostNameDomain",
                "identifier": "DnsDomain"
        "OriginalUri": " Shells Threat Protection/Analytic Rules/PotentialMercury_Webshell.yaml",
        "query": "let timeframe = 1d;\nlet time_window = 5m;\n(union isfuzzy=true\n(SecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where EventID == 4688\n| where Process has_any (\"java.exe\", \"javaw.exe\") and CommandLine has \"SysAidServer\" \n| summarize by ParentProcessName,Process, Account, Computer, CommandLine, timekey= bin(TimeGenerated, time_window), TimeGenerated, SubjectLogonId\n| join kind=inner(\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where EventID == 4663\n| where Process has_any (\"java.exe\", \"javaw.exe\")\n| where AccessMask in ('0x2','0x100', '0x10', '0x4')\n| where ObjectName endswith \".jsp\" \n| summarize by ParentProcessName, Account, Computer, ObjectName, ProcessName, timekey= bin(TimeGenerated, time_window), TimeGenerated, SubjectLogonId)\n on timekey, Computer, SubjectLogonId\n),\n(DeviceFileEvents \n| where InitiatingProcessFileName has_any (\"java.exe\", \"javaw.exe\")  \n| where InitiatingProcessCommandLine has \"SysAidServer\"  \n| where FileName endswith \".jsp\" \n| extend Account = strcat(InitiatingProcessAccountDomain, @'\\', InitiatingProcessAccountName), Computer = DeviceName\n),\n(imFileEvent\n| where TimeGenerated > ago(timeframe)\n| where EventType == \"FileCreated\"\n| where ActingProcessName has_any (\"java.exe\", \"javaw.exe\") \n| where ActingProcessCommandLine has \"SysAidServer\"  \n| where FilePath endswith \".jsp\" \n| extend Account = ActorUsername, Computer = DvcHostname\n)\n)\n| extend AccountName = tostring(split(Account, @'\\')[1]), AccountNTDomain = tostring(split(Account, @'\\')[0])\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
        "tags": [
            "Schema": "ASIMFileEvent",
            "SchemaVersion": "0.1.0"
        "techniques": [
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"