Threat Hunting#




Webshells are malicious scripts that can be uploaded to a web server in order to gain control of the server. They are often used to take over a server by adding, modifying, or deleting files, and can also be used to execute arbitrary commands on the server. Webshells can be written in any scripting language, but are most commonly written in PHP or ASP.


Threat hunting on Windows is the process of proactively searching for signs of malicious activity on a Windows system. This can be done manually or by using automated tools. Some common techniques used in threat hunting include looking for unusual file activity, network traffic, and process behavior.


There are many different tools that can be used for threat hunting. Some of these tools are designed specifically for threat hunting, while others are more general-purpose tools that can be used for a variety of security tasks.

Practice Datasets#

When hunting for threats, analysts typically start with some sort of dataset that contains information about the activity that has taken place within a system or network. This dataset can come from a variety of sources, including system logs, network traffic data, and application data. Once a dataset has been collected, the next step is to look for IOCs that may indicate the presence of a threat.

The following articles teach tools to generate practice datasets:

MCSI also offers free threat hunting datasets to practice your skills:


YARA is a powerful tool for reverse engineering malware. It can be used to identify and classify malware, and to find and extract specific features from malware samples. YARA can also be used to create signatures that can be used to detect and block malware.


The image below explains the process to follow when writing YARA rules:

Writing YARA rules procedure


Read the following articles to learn how to write YARA rules:


The image below proposes a workflow you can use to learn threat hunting:

Threat hunting procedure and workflow