This detection rule aims to identify potential command injection attempts made through web server requests, which may be exploited by attackers. Command injections allow malicious actors to execute arbitrary commands on a server by manipulating web application inputs. This rule monitors the HTTP requests for specific suspicious patterns that indicate the presence of command execution payloads, such as interpreter flags and shell invocations. The emphasis is placed on 200 status code responses to minimize false positives, as attackers often use legitimate-looking requests to conceal their activities. Notable tactics employed include reconnaissance, persistence, execution, and credential access. The query utilizes ESQL to examine logs from various web servers (e.g., NGINX, Apache, etc.) for indicators of compromise, evaluating URL patterns and flags that suggest potentially malicious intent. Investigation steps and response actions are provided to assist security teams in mitigating risks associated with these types of threats. This rule is mature and ready for production-level deployment.