5 min read

Ghost in the Web Shell: Introducing ShellSweep

ShellSweep is a PowerShell/Python/Lua tool designed to detect potential web shell files using entropy analysis. High entropy indicates randomness - a characteristic of obfuscated or encrypted malicious code.

shellsweep webshell detection entropy powershell splunk

Originally published on the Splunk Security Blog
Read the full article: Ghost in the Web Shell: Introducing ShellSweep

The Problem

Web shells are a persistent threat. They’re small, stealthy, and give attackers a foothold into your web infrastructure. Traditional signature-based detection often misses them - especially when attackers use obfuscation or encryption.

Enter ShellSweep

ShellSweep takes a different approach. Instead of looking for known signatures, it analyzes the entropy of file contents.

What is Entropy?

Entropy measures randomness. In the context of file analysis:

  • Normal web files (HTML, PHP, ASP) have lower entropy because human-readable text has patterns
  • Obfuscated/encrypted code has high entropy because the data looks random

Web shells often contain obfuscated code to evade detection. This obfuscation increases entropy - and that’s exactly what ShellSweep looks for.

How It Works

  1. Scan directories - Point ShellSweep at your web directories
  2. Calculate entropy - Each file’s contents are analyzed
  3. Flag suspicious files - Files with unusually high entropy are flagged for review

The Toolset

ShellSweep comes in multiple flavors:

  • PowerShell - Native Windows support
  • Python - Cross-platform flexibility
  • Lua - Lightweight alternative

Supported File Extensions

By default, ShellSweep processes common web file types:

  • .asp, .aspx, .asph
  • .php
  • .jsp

Getting Started

git clone https://github.com/splunk/ShellSweep.git
cd ShellSweep
.\ShellSweep\ShellSweep.ps1 -DirectoryPath "C:\inetpub\wwwroot"

Why This Matters

Entropy-based detection catches what signatures miss. When attackers create new web shells or modify existing ones, the obfuscation techniques they use almost always result in high entropy. ShellSweep turns this evasion technique into a detection opportunity.

Read the full technical deep-dive on the Splunk Blog:
Ghost in the Web Shell: Introducing ShellSweep

Get ShellSweep:
github.com/splunk/ShellSweep

Related Modules

Active

ShellSweep

ShellSweeping the evil. PowerShell/Python/Lua tool to detect potential web shells using entropy analysis, machine learning, and YARA rules.

webshell detection hunting entropy +2
View Module → GitHub