diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/_deprecated/persistence_shell_activity_by_web_server.toml
similarity index 98%
rename from rules/linux/persistence_shell_activity_by_web_server.toml
rename to rules/_deprecated/persistence_shell_activity_by_web_server.toml
index 4045bd12c27..af68bad6a25 100644
--- a/rules/linux/persistence_shell_activity_by_web_server.toml
+++ b/rules/_deprecated/persistence_shell_activity_by_web_server.toml
@@ -1,10 +1,11 @@
 [metadata]
 creation_date = "2020/02/18"
+deprecation_date = "2023/03/04"
 integration = ["endpoint"]
-maturity = "production"
+maturity = "deprecated"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/22"
+updated_date = "2023/03/04"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml
new file mode 100644
index 00000000000..5a9b2aae1b3
--- /dev/null
+++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml
@@ -0,0 +1,80 @@
+[metadata]
+creation_date = "2023/03/04"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/04/03"
+
+[rule]
+author = ["Elastic"]
+description = "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access."
+false_positives = [
+    """
+    Network monitoring or management products may have a web server component that runs shell commands as part of normal
+    behavior.
+    """,
+]
+from = "now-9m"
+index = ["logs-endpoint.events.*", "endgame-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Remote Code Execution via Web Server"
+references = [
+    "https://pentestlab.blog/tag/web-shell/",
+    "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965",
+]
+risk_score = 73
+rule_id = "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb"
+severity = "high"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Initial Access", "Elastic Endgame"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "linux" and event.type == "start" and
+event.action in ("exec", "exec_event") and process.parent.executable : (
+  "/usr/sbin/nginx", "/usr/local/sbin/nginx",
+  "/usr/sbin/apache", "/usr/local/sbin/apache",
+  "/usr/sbin/apache2", "/usr/local/sbin/apache2",
+  "/usr/sbin/php*", "/usr/local/sbin/php*",
+  "/usr/sbin/lighttpd", "/usr/local/sbin/lighttpd",
+  "/usr/sbin/hiawatha", "/usr/local/sbin/hiawatha",
+  "/usr/local/bin/caddy", 
+  "/usr/local/lsws/bin/lswsctrl",
+  "*/bin/catalina.sh"
+) and
+process.name : ("*sh", "python*", "perl", "php*", "tmux") and
+process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1505"
+name = "Server Software Component"
+reference = "https://attack.mitre.org/techniques/T1505/"
+[[rule.threat.technique.subtechnique]]
+id = "T1505.003"
+name = "Web Shell"
+reference = "https://attack.mitre.org/techniques/T1505/003/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1190"
+name = "Exploit Public-Facing Application"
+reference = "https://attack.mitre.org/techniques/T1190/"
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"