title: Webshell Detection by Keyword
description: Detects webshells that use GET requests by keyword sarches in URL strings
author: Florian Roth
logsource:
    type: webserver
detection:
    keywords:
        - '=whoami'
        - '=net%20user'
        - '=cmd%20/c%20'
    condition: keywords
falsepositives:
    - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
    - User searches in search boxes of the respective website
level: high