title: Webshell Detection by Keyword
description: Detects webshells that use GET requests by keyword searches in URL strings
author: Florian Roth
logsource:
    category: webserver
detection:
    keywords:
        - '=whoami'
        - '=net%20user'
        - '=cmd%20/c%20'
    condition: keywords
fields:
    - client_ip
    - vhost
    - url
    - response
falsepositives:
    - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
    - User searches in search boxes of the respective website
level: high