This detection rule identifies potentially malicious activity associated with webshells on web servers. It specifically looks for the execution of processes such as `cmd.exe`, `powershell.exe`, and `bash.exe`, that are spawned by common web server processes like `w3wp.exe` (IIS) and `nginx.exe`. The appearance of these suspicious processes suggests that an attacker might be exploiting a vulnerability within a web application to deploy a webshell. A webshell can grant them persistent access, enabling command execution on the server, which can lead to privilege escalation or data exfiltration. Although this rule is now deprecated, understanding its workings aids in recognizing past vulnerabilities and their detection methodologies. The rule is dependent on multiple data sources including Sysmon and Windows Event Logs to capture relevant process execution information.