This detection rule targets webshell activity linked to the ReGeorg exploit, identifiable via specific query strings within web server logs. The rule monitors the 'cs-uri-query' field for signature strings that indicate ReGeorg commands such as 'cmd=read', 'cmd=connect', and others, while ensuring that requests exhibit a null referer and user agent—traits indicative of automated exploitation attempts. It analyzes POST requests, which are typical for this sort of attack. False positives may arise from legitimate web applications that utilize similar command parameters, so it’s essential to implement this rule in conjunction with other security measures to mitigate potential alerts from benign activity. The impact of the rule is designated as high, given the severity of webshell exploits in compromising server integrity and confidentiality.