title: Webshell Detection by Keyword
id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729
description: Detects webshells that use GET requests by keyword searches in URL strings
author: Florian Roth
logsource:
    category: webserver
detection:
    keywords:
        - =whoami
        - =net%20user
        - =cmd%20/c%20
    condition: keywords
fields:
    - client_ip
    - vhost
    - url
    - response
falsepositives:
    - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
    - User searches in search boxes of the respective website
level: high