The rule 'Potential LIGHTWIRE Web Shell' detects attempts by adversaries to exploit web servers through malicious web shells, specifically identifying instances of LIGHTWIRE, a Perl CGI-based web shell. Such shells provide attackers with a means to execute commands remotely and are commonly embedded within legitimate files, leveraging vulnerabilities in systems such as those reported by Ivanti. The detection rule utilizes data from Cloudflare Web Application Firewall (WAF) logs to identify suspicious POST or PUT requests targeting specific file types (CGI, Perl) that match a defined pattern, particularly focusing on URI elements that signal potential malicious activity. This rule is essential for identifying early indications of web server compromise and enhancing the security posture against backdoor implementations.