Web Shell

This rule detects unusual child process executions originating from web server processes on Linux systems, potentially indicating attackers exploiting web servers for persistence.

This rule detects potential command execution from a web server parent process on a Linux host, indicating a possible web shell attack where adversaries exploit web server vulnerabilities to execute arbitrary commands.

DreamMaker by Interinfo is vulnerable to arbitrary file upload, allowing privileged remote attackers to upload and execute web shell backdoors, enabling arbitrary code execution on the server.

An unauthenticated remote code execution vulnerability, CVE-2026-5426, in Digital Knowledge's KnowledgeDeliver LMS platform due to shared ASP.NET machine keys allows attackers to inject malicious code, ultimately leading to Cobalt Strike infection of user workstations.

e107 CMS 2.3.0 contains a remote code execution vulnerability (CVE-2021-47937) that allows authenticated users with theme installation permissions to execute arbitrary commands by uploading malicious theme files, leading to arbitrary code execution on the server.

A privileged remote attacker can exploit CVE-2026-7490 in Sunnet CTMS and CPAS to upload and execute web shell backdoors, leading to arbitrary code execution on the server.

An unauthenticated remote attacker can exploit an arbitrary file upload vulnerability (CVE-2026-6885) in Borg SPM 2007 to upload and execute web shell backdoors, leading to arbitrary code execution on the server.

A file upload validation bypass vulnerability exists in FlowiseAI, where the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type, enabling an attacker to upload .js files, store malicious Node.js web shells on the server, and potentially achieve Remote Code Execution (RCE).

The creation of ASPX files in web server directories, excluding legitimate processes, indicates potential web shell deployment for persistence on Windows systems.

The rule identifies unusual outbound network connections on non-standard ports originating from web server processes on Linux systems, indicative of potential web shell activity or unauthorized communication.

Detection of command-line tools executing from the IIS installation directory on Windows systems, potentially indicating exploitation of IIS-reliant software like Microsoft Exchange.