This analytic rule identifies instances where a shell (PowerShell.exe or Cmd.exe) is spawned from W3WP.exe, the IIS worker process. The detection is crucial as it signifies potential webshell activity, often linked with exploitation attempts, such as the HAFNIUM group targeting Exchange servers. The rule leverages data from various sources including Sysmon EventID 1 and Windows Event Log Security 4688, focusing on process creation events with W3WP.exe as the parent process. The potential consequences of this behavior, if confirmed as malicious, include unauthorized command execution, system compromise, data exfiltration, and lateral movement within networks. Known false positives should be accounted for by baselining environments prior to implementation.