This analysis details a web shell intrusion incident where attackers exploited an IIS worker to exfiltrate data. The attacker uploaded a web shell, created a new account for persistence, modified an existing user's password, and used encoded PowerShell commands to establish a reverse TCP shell for command-and-control. The incident was detected by endpoint sensors, triggering an investigation. Multiple payloads were discovered in C:\Users\Public. The attacker performed discovery commands, archived the web server's working directory, and exfiltrated data via GET requests. Additional tools, including AnyDesk, were installed for remote access. The analysis includes technical details of the web shells and recommendations for preventing similar attacks.