This detection rule aims to identify suspicious processes initiated by web server processes, which could indicate the presence of a web shell or other types of exploitation on a Windows system. The rule monitors processes spawned by recognized web server binaries such as Caddy, Apache HTTP Server, Nginx, PHP, and Tomcat. It leverages various characteristics of the parent processes to identify anomalies, looking specifically at child processes that could be indicative of malicious activity. If a process commonly associated with legitimate server operations spawns unexpected processes like cmd.exe or PowerShell, it raises an alert. Additionally, the rule includes filters to reduce false positives from known legitimate server management operations related to Java and ADManager Plus. High severity is assigned to this detection because exploitation via web shells could lead to severe consequences, including data breaches and unauthorized access.