Suspicious File Write to Webapps Root Directory

Severity: medium
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Source: upstream

Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers. This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1190` Exploit Public-Facing Application
Persistence	`T1505.003` Server Software Component: Web Shell

Event coverage

Provider	Event ID	Title
Sysmon	11	FileCreate

Stages and Predicates

Stage 1: `all of selection_susp_img`

or:
Image|endswith: '\dotnet.exe'
Image|endswith: '\java.exe'
Image|endswith: '\w3wp.exe'

Stage 2: `all of selection_servers`

or:
TargetFilename|contains: '\apache'
TargetFilename|contains: '\tomcat'

Stage 3: `all of selection_path`

TargetFilename|contains: '\webapps\ROOT\'

Stage 4: `all of selection_susp_extensions`

TargetFilename|endswith: .jsp

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`\dotnet.exe` corpus 2 (sigma 2) `\java.exe` `\w3wp.exe` corpus 6 (sigma 6)
`TargetFilename`	ends_with	`.jsp` corpus 2 (sigma 2)
`TargetFilename`	match	`\apache` `\tomcat` `\webapps\ROOT\`

Suspicious File Write to Webapps Root Directory

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: all of selection_susp_img

Stage 2: all of selection_servers

Stage 3: all of selection_path

Stage 4: all of selection_susp_extensions

Indicators

Stage 1: `all of selection_susp_img`

Stage 2: `all of selection_servers`

Stage 3: `all of selection_path`

Stage 4: `all of selection_susp_extensions`