LoFP LoFP / false positives are expected to be very rare due to the specific nature of this rule. legitimate application deployments typically do not involve multipart form uploads to .action endpoints followed immediately by jsp file creation in webapps directories. however, custom deployment scripts or automated testing tools that simulate file uploads could potentially trigger this alert. review the source ip, user agent, uploaded file content, timing, and deployment schedules to validate if the activity is authorized. standard package manager operations are already excluded from detection.

Techniques

Sample rules

Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation

Description

Identifies successful exploitation of CVE-2023-50164, a critical path traversal vulnerability in Apache Struts 2 file upload functionality. This high-fidelity rule detects a specific attack sequence where a malicious multipart/form-data POST request with WebKitFormBoundary is made to a Struts .action upload endpoint, immediately followed by the creation of a JSP web shell file by a Java process in Tomcat’s webapps directories. This correlated activity indicates active exploitation resulting in remote code execution capability through unauthorized file upload and web shell deployment.

Detection logic

sequence by agent.id with maxspan=10s
  [network where data_stream.dataset == "network_traffic.http" and
      http.request.method == "POST" and
      http.request.body.content like "*WebKitFormBoundary*" and
      url.path like~ "*upload*.action"]
  [file where event.dataset == "endpoint.events.file" and
      host.os.type == "linux" and
      event.action == "creation" and
      process.name == "java" and
      file.extension == "jsp" and
      file.path like "*/webapps/*" and
      not file.path like "*/WEB-INF/*" and
      not file.path like "*/META-INF/*" and
      not process.parent.name in ("apk", "apt", "apt-get", "dpkg", "yum", "rpm", "dnf", "systemd", "init")]