Webshells — remote access tools embedded in web application files — are one of the most consistently observed persistence mechanisms in real-world intrusions. They appear after successful exploitation of internet-facing services: Exchange ProxyLogon, SharePoint RCEs, Apache vulnerabilities, PHP application flaws. Once a webshell is in place, it gives an attacker interactive command execution through the web server process, often for weeks or months before detection.
This guide covers the principal detection opportunities: file creation events in web directories, anomalous process ancestry from web server processes, IIS and Apache log analysis, and network patterns associated with webshell C2 traffic. Each section includes deployable Sigma rules and KQL for Microsoft Sentinel and Defender for Endpoint.
MITRE ATT&CK Mapping
Webshell deployment maps to T1505.003 (Server Software Component: Web Shell) under Persistence. Initial access typically precedes webshell deployment via T1190 (Exploit Public-Facing Application). Post-deployment activity will involve T1059 (Command and Scripting Interpreter) as commands execute through the shell.
Detection Surface 1: File Creation Events in Web Directories
The most reliable early detection is monitoring for file creation of executable types (.aspx, .php, .jsp, .cfm, .asp) in web-accessible directories by processes other than legitimate deployment tools.
Sigma Rule: Webshell File Creation in Web Root
title: Webshell File Creation in Web Directory
id: a5c8e1b2-3d4f-4a5b-8c6d-9e0f1a2b3c4d
status: production
description: Detects creation of script files in web-accessible directories by unexpected processes
references:
- https://attack.mitre.org/techniques/T1505/003/
author: SOC Analyst Hub
date: 2026-06-19
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: file_event
product: windows
detection:
selection_directory:
TargetFilename|contains:
- '\inetpub\wwwroot\'
- '\wwwroot\'
- '\htdocs\'
- '\public_html\'
- '\web\content\'
selection_extension:
TargetFilename|endswith:
- '.aspx'
- '.asp'
- '.php'
- '.jsp'
- '.jspx'
- '.cfm'
- '.ashx'
- '.asmx'
filter_legitimate:
Image|contains:
- '\msdeploy.exe'
- '\w3wp.exe'
- '\devenv.exe'
- '\msbuild.exe'
- '\nuget.exe'
- '\git.exe'
- '\deploy.exe'
condition: selection_directory and selection_extension and not filter_legitimate
falsepositives:
- Legitimate web application deployment via non-standard tools
- Manual file uploads by developers via RDP
level: high
Tune the legitimate process filter for your environment. In automated deployment pipelines, the deploying process will be consistent and known — add it to the filter. The raw signal of an .aspx file created by cmd.exe or powershell.exe is highly suspicious regardless of environment.
KQL: File Creation in IIS Web Root (Defender for Endpoint)
DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath contains @"inetpub\wwwroot"
or FolderPath contains @"wwwroot"
| where FileName endswith ".aspx"
or FileName endswith ".asp"
or FileName endswith ".php"
or FileName endswith ".ashx"
| where InitiatingProcessFileName !in~ (
"w3wp.exe", "msdeploy.exe", "msbuild.exe",
"devenv.exe", "git.exe", "robocopy.exe"
)
| project Timestamp, DeviceName, FolderPath, FileName,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName
| order by Timestamp desc
Detection Surface 2: Anomalous Process Ancestry
Once a webshell is in place, every command executed through it appears as a child process of the web server worker process. w3wp.exe (IIS), httpd.exe (Apache), or nginx.exe should never be seen spawning command interpreters, enumeration tools, or lateral movement utilities.
Sigma Rule: Suspicious Process Spawned by Web Server Process
title: Suspicious Child Process of Web Server
id: b6d9f2c3-4e5g-5b6c-9d7e-0f1g2h3i4j5k
status: production
description: Detects command execution through a webshell — command interpreters or suspicious tools spawned by web server worker processes
references:
- https://attack.mitre.org/techniques/T1505/003/
author: SOC Analyst Hub
date: 2026-06-19
tags:
- attack.persistence
- attack.t1505.003
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\w3wp.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php.exe'
- '\php-cgi.exe'
- '\tomcat.exe'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\net.exe'
- '\net1.exe'
- '\whoami.exe'
- '\ipconfig.exe'
- '\systeminfo.exe'
- '\nltest.exe'
- '\certutil.exe'
- '\bitsadmin.exe'
- '\wmic.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
condition: selection_parent and selection_child
falsepositives:
- Some IIS diagnostic features spawn cmd.exe in limited configurations
- Web application monitoring agents
level: critical
KQL: Web Server Spawning Command Interpreter (Defender for Endpoint)
DeviceProcessEvents
| where InitiatingProcessFileName in~ (
"w3wp.exe", "httpd.exe", "nginx.exe",
"php.exe", "php-cgi.exe", "tomcat.exe"
)
| where FileName in~ (
"cmd.exe", "powershell.exe", "pwsh.exe",
"whoami.exe", "net.exe", "net1.exe",
"systeminfo.exe", "ipconfig.exe", "nltest.exe",
"certutil.exe", "bitsadmin.exe", "wmic.exe"
)
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
Detection Surface 3: IIS Access Log Analysis
Webshell requests have characteristic patterns in IIS access logs: POST requests to .aspx files that are infrequently accessed, unusual HTTP status codes from web application files that should serve static content, and requests from single source IPs targeting the same file repeatedly.
Sigma Rule: IIS Log Webshell Access Pattern
title: Webshell Access Pattern in IIS Logs
id: c7e0g3d4-5f6h-6c7d-0e8f-1g2h3i4j5k6l
status: production
description: Detects characteristic webshell request patterns in IIS W3C access logs
logsource:
category: webserver
product: iis
detection:
selection_method:
cs-method: 'POST'
selection_extension:
cs-uri-stem|endswith:
- '.aspx'
- '.asp'
- '.ashx'
- '.asmx'
filter_known_apps:
cs-uri-stem|contains:
- '/owa/'
- '/ecp/'
- '/api/'
condition: selection_method and selection_extension and not filter_known_apps
falsepositives:
- Legitimate ASP.NET form submissions
level: medium
For more targeted analysis, look for POST requests returning 200 to files that also return 200 on GET requests — normal application pages accept both methods, but webshells tend to only respond to POST with substantive output.
Detection Surface 4: Linux Apache/PHP Environments
On Linux-hosted applications running Apache and PHP, the detection profile shifts. Monitor for processes spawned by the www-data, apache, or httpd user accounts that perform filesystem enumeration or network connections.
Sigma Rule: Suspicious Apache Child Process (Linux)
title: Apache Web Server Spawning Shell - Linux
id: d8f1h4e5-6g7i-7d8e-1f9g-2h3i4j5k6l7m
status: production
description: Detects command execution via webshell on Linux Apache/PHP environments
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith:
- '/apache2'
- '/httpd'
- '/php'
- '/php-fpm'
- '/nginx'
ParentUser:
- 'www-data'
- 'apache'
- 'httpd'
- 'nginx'
selection_suspicious:
Image|endswith:
- '/bash'
- '/sh'
- '/python'
- '/python3'
- '/perl'
- '/nc'
- '/ncat'
- '/wget'
- '/curl'
condition: selection_parent and selection_suspicious
falsepositives:
- Shell scripts invoked legitimately from web applications
level: high
Hunting Webshells by File Hash
Webshells in public repositories and malware analysis databases have known hashes. Tools like loki from Neo23x0 or CISA’s CHIRP scanner can sweep web directories against known-bad indicators. For periodic hunting:
# Find recently modified web files
find /var/www/ -name "*.php" -newer /var/www/index.php -ls
# Look for eval/base64 patterns common in PHP webshells
grep -r --include="*.php" -l "eval(base64_decode" /var/www/
grep -r --include="*.php" -l "system(\$_" /var/www/
grep -r --include="*.php" -l "exec(\$_POST" /var/www/
grep -r --include="*.aspx" -l "Request.Form" \inetpub\wwwroot\
Tuning Guidance
Process ancestry detection generates the highest-fidelity signals and should be prioritised. The combination of w3wp.exe or httpd parent process with cmd.exe or powershell.exe child is definitive enough to alert at critical severity with minimal false positives in most enterprise environments.
File creation detection requires tuning against your deployment processes. The goal is to narrow the set of legitimate writer processes to a known list, making anything outside that list high-confidence.
If your environment includes WAF telemetry, correlate WAF blocks against script file access — a series of blocked requests targeting a .php file followed by access to a newly created .php file in the same directory is a strong indicator of successful exploitation and webshell placement.