{"id":200,"date":"2023-11-05T15:17:02","date_gmt":"2023-11-05T15:17:02","guid":{"rendered":"https:\/\/blog.sinamohebi.com\/?p=200"},"modified":"2023-11-05T15:19:11","modified_gmt":"2023-11-05T15:19:11","slug":"detecting-webshells-with-sysmon-a-technical-analysis","status":"publish","type":"post","link":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/","title":{"rendered":"Detecting Webshells with Sysmon: A Technical Analysis"},"content":{"rendered":"\n

<\/h1>\n\n\n\n

Introduction: Webshells are malicious scripts or programs that attackers deploy on web servers to gain unauthorized access and control. Detecting these webshells is crucial for maintaining the security of web applications and protecting sensitive data. In this article, we will explore how Sysmon, a powerful Windows system monitoring tool, can be utilized to detect and mitigate webshell threats. We will dive into the technical details of using Sysmon, explore relevant event IDs, and provide insights on enhancing your web server security.<\/p>\n\n\n\n

Understanding Sysmon: Sysmon is a lightweight, command-line utility developed by Microsoft for Windows systems. It provides advanced monitoring capabilities by collecting and logging detailed information about system activities, including process creation, network connections, file modifications, and more. Leveraging this tool\u2019s extensive event logging capabilities, we can effectively track and detect suspicious activity related to webshells.<\/p>\n\n\n\n

    \n
  1. Monitoring Webshell Execution (Event ID: 1): To identify webshell activities, Sysmon can be configured to monitor process creation events (Event ID: 1). By enabling the \u201cImage\u201d and \u201cCommandLine\u201d fields in Sysmon\u2019s configuration, we can capture detailed information about processes being launched on the system. Webshells are often executed through malicious scripts or processes, and monitoring process creation can help us detect their presence.<\/li>\n\n\n\n
  2. Tracking Network Connections (Event ID: 3): Webshells typically establish communication channels with external servers to receive commands or exfiltrate data. Sysmon allows us to log network connection events (Event ID: 3), including source and destination IP addresses, ports, and protocols. By monitoring network connections, we can identify suspicious communication patterns associated with webshells.<\/li>\n\n\n\n
  3. Monitoring File Modifications (Event IDs: 11, 12, 13): Webshells often modify existing files or create new files on the compromised server. Sysmon can be configured to track file modifications (Event IDs: 11, 12, 13), providing crucial insights into potential webshell activity. By monitoring file creation, modification, and deletion events, we can identify unauthorized changes made by webshells.<\/li>\n\n\n\n
  4. Detecting Suspicious Process Behavior (Event ID: 7): Sysmon enables us to monitor process behavior (Event ID: 7), including command-line arguments, parent-child process relationships, and DLL loads. Webshells may exhibit unusual behavior, such as executing commands with elevated privileges or injecting malicious code into legitimate processes. By analyzing Sysmon logs for abnormal process behavior, we can flag potential webshell activities.<\/li>\n<\/ol>\n\n\n\n

    Here\u2019s a real example of how Sysmon can be used to detect a webshell activity:<\/p>\n\n\n\n

    <\/p>\n\n\n\n

    zLet\u2019s say you have configured Sysmon on your web server and are monitoring Event ID 1 (Process Creation) and Event ID 3 (Network Connection). One day, you notice a suspicious process being created with a webshell-like name, <\/kbd><\/code><\/p>\n\n\n\n

    \u201ccmd.aspx\u201d.Process Create: RuleName: - UtcTime: 2022-01-10 15:30:45.1234567 ProcessGuid: {12345678-1234-1234-1234-123456789abc} ProcessId: 1234 Image: C:\\inetpub\\wwwroot\\cmd.aspx CommandLine: C:\\Windows\\System32\\cmd.exe \/c echo \"Hello, webshell!\" CurrentDirectory: C:\\inetpub\\wwwroot\\ User: NT AUTHORITY\\SYSTEM<\/kbd><\/code><\/p>\n\n\n\n

    Upon further investigation, you find that this process establishes an outbound connection to a suspicious IP address.<\/p>\n\n\n\n

    In this example, the webshell \u201ccmd.aspx\u201d is created by a legitimate Windows process \u201ccmd.exe\u201d and executed with elevated privileges (NT AUTHORITY\\SYSTEM). It establishes an outbound network connection to an unknown IP address on an unusual port (123.456.789.123:8080). These activities raise suspicion and indicate a potential webshell presence on the server.<\/p>\n\n\n\n

    Sysmon Event ID 3 log entry:Network Connect:
    RuleName: -
    UtcTime: 2022-01-10 15:31:00.9876543
    ProcessGuid: {12345678-1234-1234-1234-123456789abc}
    ProcessId: 1234
    Image: C:\\Windows\\System32\\cmd.exe
    User: NT AUTHORITY\\SYSTEM
    Protocol: TCP
    Initiated: true
    SourceIp: 192.168.0.100
    SourcePort: 12345
    DestinationIp: 123.456.789.123
    DestinationPort: 8080<\/code><\/code><\/pre>\n\n\n\n
    By regularly reviewing and analyzing Sysmon logs, paying attention to relevant event IDs, and using tools like SIEM (Security Information and Event Management) solutions, you can detect and respond to webshell activities promptly, mitigating potential security risks.<\/p>\n\n\n\n
    Remember, this is just one example, and the characteristics of webshells can vary. It is crucial to stay updated on the latest webshell threat indicators and adjust your monitoring and detection techniques accordingly.<\/p>\n\n\n\n
    Conclusion: Deploying Sysmon as part of your web server security strategy can significantly enhance your capability to detect and mitigate webshell threats. By leveraging Sysmon\u2019s comprehensive event logging features and implementing proper monitoring and analysis techniques, you can proactively identify and respond to webshell attacks. Remember to regularly review and analyze Sysmon logs, paying close attention to relevant event IDs, to stay vigilant and keep your web applications secure.<\/p>\n\n\n\n
    Please note that while Sysmon is a powerful tool for monitoring system activities, its configuration and analysis require technical expertise. It is recommended to consult security professionals or refer to official documentation for specific implementation details suitable for your environment.<\/p>\n\n\n\n
    provide by me with best regards<\/p>\n\n\n\n
    Sina Mohebi<\/p>\n\n\n\n
    Find More post in My Linkedin<\/a><\/p>\n\n\n\n
    <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    Introduction: Webshells are malicious scripts or programs that attackers deploy on web servers to gain unauthorized access and control. Detecting these webshells is crucial for maintaining the security of web applications and protecting sensitive data. In this article, we will explore how Sysmon, a powerful Windows system monitoring tool, can be utilized to detect and…<\/p>\n","protected":false},"author":1,"featured_media":202,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[19,6,23,24,7],"class_list":["post-200","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-soc","tag-mitre-attck","tag-soc","tag-sysmon","tag-webshell","tag-windows-event-log"],"yoast_head":"\nDetecting Webshells with Sysmon: A Technical Analysis - Sina Mohebi<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Detecting Webshells with Sysmon: A Technical Analysis - Sina Mohebi\" \/>\n<meta property=\"og:description\" content=\"Introduction: Webshells are malicious scripts or programs that attackers deploy on web servers to gain unauthorized access and control. Detecting these webshells is crucial for maintaining the security of web applications and protecting sensitive data. In this article, we will explore how Sysmon, a powerful Windows system monitoring tool, can be utilized to detect and...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/\" \/>\n<meta property=\"og:site_name\" content=\"Sina Mohebi\" \/>\n<meta property=\"article:published_time\" content=\"2023-11-05T15:17:02+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-11-05T15:19:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/11\/PORTADA-OK-Ciber-Webshell-1080x675-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"640\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Sina\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sina\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/\"},\"author\":{\"name\":\"Sina\",\"@id\":\"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd\"},\"headline\":\"Detecting Webshells with Sysmon: A Technical Analysis\",\"datePublished\":\"2023-11-05T15:17:02+00:00\",\"dateModified\":\"2023-11-05T15:19:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/\"},\"wordCount\":646,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd\"},\"image\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/11\/PORTADA-OK-Ciber-Webshell-1080x675-1.png\",\"keywords\":[\"MITRE ATT&CK\",\"SOC\",\"sysmon\",\"webshell\",\"Windows Event log\"],\"articleSection\":[\"SOC\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/\",\"url\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/\",\"name\":\"Detecting Webshells with Sysmon: A Technical Analysis - Sina Mohebi\",\"isPartOf\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/11\/PORTADA-OK-Ciber-Webshell-1080x675-1.png\",\"datePublished\":\"2023-11-05T15:17:02+00:00\",\"dateModified\":\"2023-11-05T15:19:11+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/#primaryimage\",\"url\":\"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/11\/PORTADA-OK-Ciber-Webshell-1080x675-1.png\",\"contentUrl\":\"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/11\/PORTADA-OK-Ciber-Webshell-1080x675-1.png\",\"width\":1024,\"height\":640},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.sinamohebi.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Detecting Webshells with Sysmon: A Technical Analysis\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.sinamohebi.com\/#website\",\"url\":\"https:\/\/blog.sinamohebi.com\/\",\"name\":\"Sina Mohebi's Blog\",\"description\":\"Home for Security analysts\",\"publisher\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.sinamohebi.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd\",\"name\":\"Sina\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/blog-logo.png\",\"contentUrl\":\"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/blog-logo.png\",\"width\":1196,\"height\":842,\"caption\":\"Sina\"},\"logo\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/image\/\"},\"sameAs\":[\"https:\/\/blog.sinamohebi.com\",\"https:\/\/www.linkedin.com\/in\/sinamohebi\/\"],\"url\":\"https:\/\/blog.sinamohebi.com\/index.php\/author\/sina\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Detecting Webshells with Sysmon: A Technical Analysis - Sina Mohebi","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/","og_locale":"en_US","og_type":"article","og_title":"Detecting Webshells with Sysmon: A Technical Analysis - Sina Mohebi","og_description":"Introduction: Webshells are malicious scripts or programs that attackers deploy on web servers to gain unauthorized access and control. Detecting these webshells is crucial for maintaining the security of web applications and protecting sensitive data. In this article, we will explore how Sysmon, a powerful Windows system monitoring tool, can be utilized to detect and...","og_url":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/","og_site_name":"Sina Mohebi","article_published_time":"2023-11-05T15:17:02+00:00","article_modified_time":"2023-11-05T15:19:11+00:00","og_image":[{"width":1024,"height":640,"url":"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/11\/PORTADA-OK-Ciber-Webshell-1080x675-1.png","type":"image\/png"}],"author":"Sina","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Sina","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/#article","isPartOf":{"@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/"},"author":{"name":"Sina","@id":"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd"},"headline":"Detecting Webshells with Sysmon: A Technical Analysis","datePublished":"2023-11-05T15:17:02+00:00","dateModified":"2023-11-05T15:19:11+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/"},"wordCount":646,"commentCount":1,"publisher":{"@id":"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd"},"image":{"@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/11\/PORTADA-OK-Ciber-Webshell-1080x675-1.png","keywords":["MITRE ATT&CK","SOC","sysmon","webshell","Windows Event log"],"articleSection":["SOC"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/","url":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/","name":"Detecting Webshells with Sysmon: A Technical Analysis - Sina Mohebi","isPartOf":{"@id":"https:\/\/blog.sinamohebi.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/#primaryimage"},"image":{"@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/11\/PORTADA-OK-Ciber-Webshell-1080x675-1.png","datePublished":"2023-11-05T15:17:02+00:00","dateModified":"2023-11-05T15:19:11+00:00","breadcrumb":{"@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/#primaryimage","url":"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/11\/PORTADA-OK-Ciber-Webshell-1080x675-1.png","contentUrl":"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/11\/PORTADA-OK-Ciber-Webshell-1080x675-1.png","width":1024,"height":640},{"@type":"BreadcrumbList","@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/11\/05\/detecting-webshells-with-sysmon-a-technical-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.sinamohebi.com\/"},{"@type":"ListItem","position":2,"name":"Detecting Webshells with Sysmon: A Technical Analysis"}]},{"@type":"WebSite","@id":"https:\/\/blog.sinamohebi.com\/#website","url":"https:\/\/blog.sinamohebi.com\/","name":"Sina Mohebi's Blog","description":"Home for Security analysts","publisher":{"@id":"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.sinamohebi.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd","name":"Sina","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/image\/","url":"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/blog-logo.png","contentUrl":"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/blog-logo.png","width":1196,"height":842,"caption":"Sina"},"logo":{"@id":"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/image\/"},"sameAs":["https:\/\/blog.sinamohebi.com","https:\/\/www.linkedin.com\/in\/sinamohebi\/"],"url":"https:\/\/blog.sinamohebi.com\/index.php\/author\/sina\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/posts\/200","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/comments?post=200"}],"version-history":[{"count":1,"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/posts\/200\/revisions"}],"predecessor-version":[{"id":201,"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/posts\/200\/revisions\/201"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/media\/202"}],"wp:attachment":[{"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/media?parent=200"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/categories?post=200"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/tags?post=200"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}