ShellSweep
ShellSweeping the evil. PowerShell/Python/Lua tool to detect potential web shells using entropy analysis, machine learning, and YARA rules.
git clone https://github.com/splunk/ShellSweep.git && .\ShellSweep\ShellSweep.ps1 ⚠ The Problem
Web shells are a persistent threat that can be difficult to detect, especially when attackers use obfuscation or encryption. Traditional signature-based detection often misses new variants.
✓ The Solution
ShellSweep uses entropy analysis to detect obfuscated/encrypted code commonly found in web shells. High entropy indicates randomness - a characteristic of malicious payloads. Includes ShellSweep, ShellSweepPlus (with heuristics), and ShellSweepX (with ML and YARA).
⚡ Impact
Used by defenders worldwide to identify web shell compromises. The entropy-based approach catches shells that signature-based tools miss.
Overview
ShellSweep is a PowerShell/Python/Lua tool designed to detect potential web shell files using entropy analysis.
How It Works
Entropy measures randomness in data. Obfuscated or encrypted web shells have high entropy compared to normal web files. ShellSweep calculates file entropy and flags suspicious files.
Variants
- ShellSweep: Core entropy-based detection
- ShellSweepPlus: Adds heuristics, pattern matching, confidence scoring
- ShellSweepX: Adds machine learning and YARA rule matching
Supported Extensions
.asp,.aspx,.asph,.php,.jsp
Sweep for web shells
Related Modules
Atomics on a Friday
Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.
Bootloaders.io
A curated list of known malicious bootloaders for various operating systems. Track and catalog bootloader threats with detection rules and hash prevention.
CBR-Queries
Collection of useful, up to date, Carbon Black Response Queries for threat hunting and detection.