LoFP / some legitimate applications might use put requests to create .session files, especially in custom implementations that leverage tomcat's session persistence mechanism. verify if the detected activity is part of a normal application flow or if it correlates with other suspicious behavior, such as subsequent get requests with manipulated jsessionid cookies.

Techniques

• T1190
• T1505.003

Sample rules

Tomcat Session File Upload Attempt

• source: splunk
• technicques:
  • T1190
  • T1505.003

Description

This detection identifies potential exploitation of CVE-2025-24813 in Apache Tomcat through the initial stage of the attack. This first phase occurs when an attacker attempts to upload a malicious serialized Java object with a .session file extension via an HTTP PUT request. When successful, these uploads typically result in HTTP status codes 201 (Created) or 409 (Conflict) and create the foundation for subsequent deserialization attacks by placing malicious content in a location where Tomcat’s session management can access it.

Detection logic

| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_method=PUT AND Web.uri_path="*.session" AND (Web.status=201 OR Web.status=409) by Web.src, Web.dest, Web.http_user_agent, Web.uri_path, Web.status 
| `drop_dm_object_name("Web")` 
| rex field=uri_path "/(?<filename>[^/]+)\.session$" 
| eval severity="High" 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `tomcat_session_file_upload_attempt_filter`