This detection rule identifies potential command execution initiated from web server parent processes on Linux hosts, a tactic commonly used in web shell attacks. Adversaries may exploit vulnerabilities in web servers to run arbitrary commands on the host while camouflaging their activities as legitimate web server behavior. The rule leverages ESQL to analyze logs from Elastic Defend, monitoring for unusual command executions where the parent process name aligns with known web server software (e.g., Apache, Nginx) and the executed command appears suspicious. The detection focuses on instances where such commands are executed from directories associated with web content, capturing unusual actions that might indicate a compromised server. The rule is designed to trigger alerts when specific conditions are met, enabling the identification of possible intrusions or ongoing attacks against Linux web servers.