It can be difficult for defenders to detect web shells because there are so many ways that code might be executed on a web server, and file uploads may be a frequent occurrence in normal operation. Complicating traffic analysis is the fact that web servers frequently have high traffic volume, and it is impractical to inspect every packet, so web shell traffic can blend in easily. One way that analysts can attempt to detect unusual activity is through anomaly analysis of web requests that were successful (server code 200). If the normal function of the web server provides a pattern of the paths from which resources are normally served, and if it is unusual to see successful requests for PHP, ASP, or JSP resources from a directory normally used for uploads, that pattern analysis may lead to the discovery of web shells. Another useful technique is to monitor the processes on the web server and note unusual parent-child relationships. For example, if the web server process does not normally spawn a command shell, it is useful to raise an alert whenever it does, and carefully inspect the commands that were executed. Web shells often run command shells (e.g. Bash on Linux, cmd.exe, or PowerShell on Windows). Whatever security alerts are in place must be monitored 24 hours a day by skilled security staff in order to be effective as a defense and allow a quick response. Binary Defense provides managed security monitoring services through our Security Operations Task Force and Threat Hunting team.

Source: https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/