diff --git a/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml b/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml
index 11140a97aed..b266de3ef46 100644
--- a/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml
@@ -5,9 +5,9 @@ description: Detects suspicious sub processes of web server processes
 references:
     - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
     - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
-author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), CheraghiMilad
 date: 2021-10-15
-modified: 2022-12-28
+modified: 2024-12-18
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -33,17 +33,23 @@ detection:
             - 'websphere'
     sub_processes:
         Image|endswith:
-            - '/whoami'
-            - '/ifconfig'
-            - '/ip'
-            - '/bin/uname'
             - '/bin/cat'
             - '/bin/crontab'
+            - '/bin/ufw'
+            - '/bin/uname'
             - '/hostname'
+            - '/id'
+            - '/ifconfig'
+            - '/ip'
             - '/iptables'
             - '/netstat'
+            - '/nslookup'
             - '/pwd'
             - '/route'
+            - '/users'
+            - '/w'
+            - '/who'
+            - '/whoami'
     condition: 1 of selection_* and sub_processes
 falsepositives:
     - Web applications that invoke Linux command line tools