This detection rule aims to identify potential webshell creation on static websites by monitoring specific file activities within the web server's designated directories. The rule checks for the creation of files with suspicious extensions, typically associated with web shells, within the root directories utilized by web services. It specifically targets file creation events in the 'inetpub\wwwroot\', 'www\', and 'htdocs\' paths, while filtering out legitimate activities that may occur in temporary folders or through recognized applications like XAMPP. The underlying assumption is that unauthorized file uploads of sensitive file types such as .ashx, .asp, .ph, and .soap may indicate an attempt to compromise the web server. The detection logic requires that one or more of the specified file extensions are present while ensuring that the file creation does not originate from standard system processes or legitimate administrative actions. This rule provides a mechanism to enhance the security posture of web applications by detecting atypical behavior that could lead to significant vulnerabilities.