• FeaturedIntroducing “AI Unlocked: Decoding Prompt Injection,” a New Interactive ChallengeFeb 18, 2026Exposing Insider Threats through Data Protection, Identity, and HR ContextFeb 18, 2026CrowdStrike Named a Customers’ Choice in 2026 Gartner® Peer Insights™ Voice of the Customer for User AuthenticationFeb 12, 2026How to Scale SOC Automation with Falcon Fusion SOARFeb 11, 2026 Introducing “AI Unlocked: Decoding Prompt Injection,” a New Interactive ChallengeFeb 18, 2026 Exposing Insider Threats through Data Protection, Identity, and HR ContextFeb 18, 2026 CrowdStrike Named a Customers’ Choice in 2026 Gartner® Peer Insights™ Voice of the Customer for User AuthenticationFeb 12, 2026 How to Scale SOC Automation with Falcon Fusion SOARFeb 11, 2026 RecentIntroducing “AI Unlocked: Decoding Prompt Injection,” a New Interactive ChallengeFeb 18, 2026Exposing Insider Threats through Data Protection, Identity, and HR ContextFeb 18, 2026CrowdStrike Named a Customers’ Choice in 2026 Gartner® Peer Insights™ Voice of the Customer for User AuthenticationFeb 12, 2026How to Scale SOC Automation with Falcon Fusion SOARFeb 11, 2026 Introducing “AI Unlocked: Decoding Prompt Injection,” a New Interactive ChallengeFeb 18, 2026 Exposing Insider Threats through Data Protection, Identity, and HR ContextFeb 18, 2026 CrowdStrike Named a Customers’ Choice in 2026 Gartner® Peer Insights™ Voice of the Customer for User AuthenticationFeb 12, 2026 How to Scale SOC Automation with Falcon Fusion SOARFeb 11, 2026 VideoVideo Highlights the 4 Key Steps to Successful Incident ResponseDec 02, 2019Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO]Feb 21, 2019Analyzing Targeted Intrusions Through the ATT&CK Framework Lens [VIDEO]Jan 22, 2019Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO]Aug 20, 2018 Video Highlights the 4 Key Steps to Successful Incident ResponseDec 02, 2019 Helping Non-Security Stakeholders Understand ATT&CK in 10 Minute

Article Summaries:

  • CrowdStrike has unveiled new Linux sensor features aimed at tightening detection of PHP web shells. The “On‑write script file visibility” capability watches scripts as they are created, allowing the sensor to flag malicious code written by common services such as web servers and SQL processes. Complementing this, the “Enhance PHP visibility” feature logs every use of PHP’s eval, assert, or create_function calls, exposing obfuscated or dynamic shell code. Together, these upgrades have enabled the Falcon Adversary OverWatch team to identify 492 web shells in just three months, improving visibility into persistent, in‑memory attacks that previously went unnoticed for years.
  • CrowdStrike has upgraded its Falcon Linux sensor to improve detection of PHP web shells, a common vector for persistent Linux and container compromises. The new “On‑write script file visibility” feature tracks scripts as they are written, giving context and behavior data that outperforms traditional scans. An additional “Enhance PHP visibility” option logs eval‑style code execution, producing detailed events (e.g., PhpEvalString) that expose hidden or obfuscated shells. Together, these capabilities enabled the Falcon Adversary OverWatch team to identify 492 web shells in just three months, offering stronger visibility for threat hunting and incident response.
  • CrowdStrike has upgraded its Falcon Linux sensor to improve detection of PHP web shells, a common vector for persistent Linux and container compromises. The new “On‑write script file visibility” feature tracks scripts as they are written, providing context and behavior data that outperforms traditional scanning. Coupled with an “Enhance PHP visibility” module that logs eval‑style code execution (e.g., PhpEvalString events), the sensor now exposes obfuscated or in‑memory shells. In a three‑month period, the Adversary OverWatch team identified 492 web shells, underscoring the effectiveness of these enhancements for early threat hunting and incident response.
  • CrowdStrike has upgraded its Falcon Linux sensor to improve detection of PHP web shells, a common attack vector on Linux servers and containers. The new “On‑write script file visibility” feature watches scripts as they are written, enabling the sensor to recognize malicious code in real time and flag previously unknown shells. An additional “Enhance PHP visibility” option logs PHP eval calls, capturing the exact code executed and generating a PhpEvalString event. Together, these capabilities helped the Falcon Adversary OverWatch team identify 492 web shells in just three months, boosting visibility and response for organizations running critical web applications.
  • CrowdStrike has upgraded its Falcon Linux sensor to improve detection of PHP web shells, a common attack vector on Linux servers and containers. The new “On‑write script file visibility” feature tracks scripts as they are written, providing context and behavior data that traditional scans miss. Combined with enhanced PHP visibility, the sensor now logs eval‑based code execution (event PhpEvalString), exposing obfuscated shells that use functions like eval, assert, or create_function. In a three‑month period, the Falcon Adversary OverWatch team identified 492 web shells, demonstrating the effectiveness of the enhanced visibility and real‑time monitoring for threat hunting and incident response.

Sources: