5 min read

The Final Shell: Introducing ShellSweepX

ShellSweepX is the most advanced version of the ShellSweep family, featuring machine learning prediction, YARA rule matching, AI-powered triage, and a comprehensive API for enterprise deployment.

shellsweep webshell detection machine-learning yara splunk

Originally published on the Splunk Security Blog
Read the full article: The Final Shell: Introducing ShellSweepX

The Ultimate Web Shell Hunter

ShellSweepX represents the culmination of the ShellSweep project. It takes everything we learned from ShellSweep and ShellSweepPlus and adds enterprise-grade features including machine learning, YARA rules, and an API-driven architecture.

What Makes ShellSweepX Different

Machine Learning Prediction

Instead of just using thresholds, ShellSweepX includes ML-based classification:

  • Trained on thousands of known web shells
  • Learns patterns beyond simple entropy
  • Adapts to new obfuscation techniques

YARA Rule Integration

Combine entropy detection with YARA’s powerful pattern matching:

  • Include your existing YARA rules
  • Add, update, and delete rules via API
  • Combine rule matches with entropy scores

API-Driven Architecture

ShellSweepX separates into agent and server components:

[Agent] → Scans files → [API] → [Server] → Analysis + Storage

This enables:

  • Centralized management
  • Distributed scanning
  • Result aggregation
  • Web-based interface

Feature Comparison

FeatureShellSweepShellSweepPlusShellSweepX
Entropy Analysis
Standard Deviation
Heuristic Analysis
Machine Learning
YARA Rules
API Integration
Web Interface
Cross-platformPowerShell

Comprehensive Results

ShellSweepX provides rich output:

{
  "file_path": "/var/www/html/uploads/shell.php",
  "entropy": 6.82,
  "ml_prediction": 0.94,
  "yara_matches": ["webshell_generic", "obfuscation_base64"],
  "confidence": "HIGH",
  "recommendation": "Quarantine and investigate"
}

Deployment Options

Standalone Agent

python shellsweepx_agent.py --path /var/www --server https://shellsweepx.internal

With YARA Rules

python shellsweepx_agent.py --path /var/www --yara-rules /etc/yara/webshells/

Why ShellSweepX?

  • Enterprise Scale - Handle thousands of servers
  • Better Accuracy - ML reduces false positives
  • Flexibility - YARA rules for custom detection
  • Visibility - Web interface for investigation
  • Integration - API for SOAR/SIEM workflows

Read the full technical breakdown on the Splunk Blog:
The Final Shell: Introducing ShellSweepX

Get ShellSweep:
github.com/splunk/ShellSweep

Related Modules

Active

ShellSweep

ShellSweeping the evil. PowerShell/Python/Lua tool to detect potential web shells using entropy analysis, machine learning, and YARA rules.

webshell detection hunting entropy +2
View Module → GitHub