This detection rule is designed to identify reconnaissance activities that utilize web shells through the use of specific command line parameters. Web shells are often deployed by attackers to maintain persistence on compromised systems and facilitate further exploitation. The rule performs checks on process creation events, focusing on command line arguments and parent images associated with common web server software such as IIS, Nginx, and Tomcat. The detection structures are tailored to capture suspicious activities that can indicate an attacker's presence, including abnormal uses of network utilities like `net.exe`, `ping.exe`, and various discovery commands. By targeting web server processes and common command line patterns, this rule aims to flag potential malicious activities stemming from web shell deployments, offering defenders the visibility needed to respond to potential threats effectively.