The 'Potential Web Shell' detection rule is designed to identify unauthorized web shells placed on web servers by adversaries to facilitate persistent access to the network. A web shell is a malicious script able to execute commands on the server, often hidden within legitimate web functionality. Given the nature of this threat, various advanced persistent threat (APT) groups are associated with the deployment of web shells. The detection logic utilizes Splunk to query web access logs, looking specifically for POST requests that result in a 200 status code targeting scripts commonly associated with backdoors, such as PHP, ASP, and JSP. If the outgoing byte count exceeds 500 for these specific requests, it marks the activity as suspicious and indicates a potential web shell infection. This rule aids in the early detection of exploitation attempts or compromised web servers, hence helping in the detection and immediate mitigation of such threats.