5 min read

ShellSweepPlus: Advanced Web Shell Detection

ShellSweepPlus builds on ShellSweep with multi-layered detection including entropy analysis, standard deviation, heuristics, and pattern matching for more accurate web shell identification.

shellsweep webshell detection heuristics powershell splunk

Originally published on the Splunk Security Blog
Read the full article: ShellSweepPlus: Web Shell Detection Tool

Evolution of Detection

After releasing ShellSweep, we learned from real-world deployments. Entropy alone is powerful, but combining it with other techniques creates a more robust detection system. Enter ShellSweepPlus.

What’s New in ShellSweepPlus

Multi-Layered Detection

ShellSweepPlus doesn’t rely on a single method. It combines:

  1. Entropy-based detection - The core from ShellSweep
  2. Standard deviation analysis - Catches anomalies in entropy distribution
  3. Mixed-mode detection - Combines multiple signals
  4. Heuristic analysis - Pattern-based detection for known techniques

Static Code Analysis

The tool now includes pattern matching for suspicious code constructs:

  • Base64 encoding patterns
  • Eval/exec statements
  • Common web shell functions
  • Obfuscation signatures

Confidence Scoring

Instead of binary “suspicious or not” results, ShellSweepPlus provides confidence scores. This helps prioritize investigation:

  • High confidence - Multiple indicators triggered
  • Medium confidence - Some indicators present
  • Low confidence - Minor anomalies detected

Key Features

{
  "TotalFilesScanned": 1000,
  "PotentialWebShells": 5,
  "ScanDuration": "00:05:30",
  "DetectionMethod": "Mixed",
  "ConfidenceScore": "High"
}

Customizable Thresholds

Tune the detection for your environment:

  • Adjust entropy thresholds per file extension
  • Add custom suspicious patterns
  • Exclude known-good paths and file hashes

Usage

# Basic scan
.\ShellSweepPlus.ps1 -DirectoryPath "C:\inetpub\wwwroot"

# With custom exclusions
.\ShellSweepPlus.ps1 -DirectoryPath "C:\inetpub\wwwroot" `
    -ExcludePaths @("backup", "logs") `
    -IgnoreHashesFile "known_good.txt"

Why Upgrade?

  • Fewer false positives - Multiple detection methods reduce noise
  • Better prioritization - Confidence scores focus your attention
  • More visibility - Detailed JSON output for SIEM integration

Read the full article on the Splunk Blog:
ShellSweepPlus: Web Shell Detection Tool

Get ShellSweep:
github.com/splunk/ShellSweep

Related Modules

Active

ShellSweep

ShellSweeping the evil. PowerShell/Python/Lua tool to detect potential web shells using entropy analysis, machine learning, and YARA rules.

webshell detection hunting entropy +2
View Module → GitHub