This analytical rule detects the spawning of a Linux shell by web or application servers such as Java or Tomcat processes, which may indicate exploitation attempts linked to vulnerabilities like CVE-2021-44228 (Log4Shell). The detection method utilizes EDR telemetry to monitor process names and parent-child relationships between processes. The issue at hand is critical; if a Java application is compromised, malicious actors could gain unauthorized shell access, permitting them to run arbitrary commands, escalate privileges, and establish persistence, resulting in severe threats to the security of the environment. The detection relies on specific process names associated with web servers and checks for Linux shell activities, ensuring comprehensive monitoring and the ability to respond swiftly to potential threats.