• CrowdStrike expands Linux sensor to detect malicious web shells in real time. • New detection engine uses behavioral analytics and signature matching for zero‑day threats. • Prevention layer blocks shell execution before payload reaches target systems. • Integration with Falcon Insight provides actionable alerts and automated containment. • Updated sensor supports containerized environments and Kubernetes workloads. • Deployment requires minimal configuration, enabling rapid rollout across hybrid infrastructures.

Article Summaries:

  • Web shells remain one of the most potent weapons in an adversary’s arsenal, particularly when targeting Linux servers and containers. These malicious scripts serve as powerful remote access tools with capabilities such as process execution, filesystem access, and tunneling of network connections. Web shells are frequently used in the exploitation of Linux servers and containers and often are undetected for months or even years, giving adversaries persistent access. Adversaries are using obfuscation techniques and in-memory variants, and modifying legitimate scripts to evade traditional securit
  • CrowdStrike has upgraded its Falcon Linux sensor to improve detection of web shells, a common attack vector on Linux servers and containers. The new “On‑write script file visibility” feature monitors scripts as they are written, enabling the sensor to recognize malicious code from processes such as web and SQL servers and to flag previously unknown shells. An additional “Enhance PHP visibility” option logs PHP eval calls, capturing the exact code executed and generating a PhpEvalString event. Together, these capabilities helped the Falcon Adversary OverWatch team identify 492 web shells in a three‑month period, enhancing visibility and response for high‑risk web applications.
  • CrowdStrike has upgraded its Falcon Linux sensor to improve detection of PHP web shells, a common tool for persistent Linux attacks. The new “On‑write script file visibility” feature monitors scripts as they are written, allowing the sensor to recognize malicious content and behavior in real time. Coupled with enhanced PHP visibility that logs eval‑based code execution, the update has already helped the Falcon Adversary OverWatch team identify 492 web shells in three months. The enhancements target obfuscated and in‑memory shells, giving security teams a clearer view of adversary activity and reducing the risk of undetected persistence on critical web servers.
  • CrowdStrike has expanded its Falcon Linux sensor to improve detection of PHP web shells, a common tool for persistent Linux and container attacks. The update adds “On‑write script file visibility,” which monitors scripts as they are written to the filesystem, and “Enhance PHP visibility,” which logs dynamic PHP execution via eval, assert, or create_function. These capabilities allow the sensor to flag obfuscated or in‑memory shells that evade traditional scans. In a three‑month period, the Adversary OverWatch threat‑hunting team identified 492 web shells using the new features, underscoring the effectiveness of real‑time script monitoring for high‑risk web applications.
  • CrowdStrike has upgraded its Falcon Linux sensor to improve detection of PHP web shells, a common threat on Linux servers and containers. The new “On‑write script file visibility” feature watches script files as they are written, giving context and activity data that traditional scans miss. Coupled with “Enhanced PHP visibility,” which logs eval‑based code execution (e.g., via PhpEvalString events), the sensor can spot obfuscated or in‑memory shells. In a three‑month period, the Adversary OverWatch team identified 492 web shells using these capabilities, underscoring the tool’s effectiveness for high‑risk web applications.

Sources: