Stats
Actions
Tags
From cybersec-toolkit
Hunts for web shell deployments on internet-facing servers using EDR and SIEM telemetry. Analyzes file creation, suspicious process spawning, and HTTP patterns.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersec-toolkit:hunting-for-webshell-activityThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- When proactively hunting for indicators of hunting for webshell activity in the environment
| Concept | Description |
|---|---|
| T1505.003 | Web Shell |
| T1190 | Exploit Public-Facing Application |
| T1059.001 | PowerShell |
| Tool | Purpose |
|---|---|
| CrowdStrike Falcon | EDR telemetry and threat detection |
| Microsoft Defender for Endpoint | Advanced hunting with KQL |
| Splunk Enterprise | SIEM log analysis with SPL queries |
| Elastic Security | Detection rules and investigation timeline |
| Sysmon | Detailed Windows event monitoring |
| Velociraptor | Endpoint artifact collection and hunting |
| Sigma Rules | Cross-platform detection rule format |
Hunt ID: TH-HUNTIN-[DATE]-[SEQ]
Technique: T1505.003
Host: [Hostname]
User: [Account context]
Evidence: [Log entries, process trees, network data]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [Containment, investigation, monitoring]
npx claudepluginhub 26zl/cybersec-toolkit --plugin cybersec-toolkitHunts for web shell deployments on internet-facing servers using EDR and SIEM telemetry. Analyzes file creation, suspicious process spawning, and HTTP patterns.
Hunts for web shell deployments on internet-facing servers by analyzing file creation in web directories, suspicious process spawning from web servers, and anomalous HTTP patterns. Useful for threat hunting and incident response.
Hunts Webshell deployments on internet-facing servers by analyzing web directory file creations, web server process anomalies, and HTTP patterns. Useful for threat hunting, incident response, and security assessments.