|
| 1 | +[metadata] |
| 2 | +creation_date = "2025/11/19" |
| 3 | +integration = ["endpoint", "network_traffic"] |
| 4 | +maturity = "production" |
| 5 | +updated_date = "2025/11/19" |
| 6 | + |
| 7 | +[rule] |
| 8 | +author = ["Elastic"] |
| 9 | +description = """ |
| 10 | +Identifies successful exploitation of CVE-2023-50164, a critical path traversal vulnerability in Apache Struts 2 file |
| 11 | +upload functionality. This high-fidelity rule detects a specific attack sequence where a malicious multipart/form-data |
| 12 | +POST request with WebKitFormBoundary is made to a Struts .action upload endpoint, immediately followed by the creation |
| 13 | +of a JSP web shell file by a Java process in Tomcat's webapps directories. This correlated activity indicates active |
| 14 | +exploitation resulting in remote code execution capability through unauthorized file upload and web shell deployment. |
| 15 | +""" |
| 16 | +false_positives = [ |
| 17 | + """ |
| 18 | + False positives are expected to be very rare due to the specific nature of this rule. Legitimate application |
| 19 | + deployments typically do not involve multipart form uploads to .action endpoints followed immediately by JSP file |
| 20 | + creation in webapps directories. However, custom deployment scripts or automated testing tools that simulate file |
| 21 | + uploads could potentially trigger this alert. Review the source IP, user agent, uploaded file content, timing, and |
| 22 | + deployment schedules to validate if the activity is authorized. Standard package manager operations are already |
| 23 | + excluded from detection. |
| 24 | + """, |
| 25 | +] |
| 26 | +from = "now-9m" |
| 27 | +index = ["logs-endpoint.events.*", "logs-network_traffic.*"] |
| 28 | +language = "eql" |
| 29 | +license = "Elastic License v2" |
| 30 | +name = "Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation" |
| 31 | +references = [ |
| 32 | + "https://nvd.nist.gov/vuln/detail/CVE-2023-50164", |
| 33 | + "https://www.trendmicro.com/en_us/research/23/l/decoding-cve-2023-50164--unveiling-the-apache-struts-file-upload.html", |
| 34 | + "https://cwiki.apache.org/confluence/display/WW/S2-066", |
| 35 | + "https://attack.mitre.org/techniques/T1505/003/", |
| 36 | +] |
| 37 | +risk_score = 73 |
| 38 | +rule_id = "7f3e8b9a-2c4d-5e6f-8a1b-9c2d3e4f5a6b" |
| 39 | +setup = """## Setup |
| 40 | +
|
| 41 | +This rule requires data coming in from both Elastic Defend (for file events) and Network Packet Capture integrations (for HTTP traffic analysis). |
| 42 | +
|
| 43 | +### Network Packet Capture Integration Setup |
| 44 | +
|
| 45 | +**IMPORTANT**: This rule requires HTTP request body capture to be enabled in order to detect the multipart/form-data content containing WebKitFormBoundary indicators. The network traffic integration must be configured to capture HTTP request bodies for POST requests with `multipart/form-data` content type. |
| 46 | +""" |
| 47 | +severity = "high" |
| 48 | +tags = [ |
| 49 | + "Domain: Endpoint", |
| 50 | + "Domain: Web", |
| 51 | + "Domain: Network", |
| 52 | + "OS: Linux", |
| 53 | + "Use Case: Threat Detection", |
| 54 | + "Tactic: Initial Access", |
| 55 | + "Tactic: Persistence", |
| 56 | + "Data Source: Elastic Defend", |
| 57 | + "Data Source: Network Traffic", |
| 58 | + "Vulnerability: CVE-2023-50164", |
| 59 | +] |
| 60 | +type = "eql" |
| 61 | + |
| 62 | +query = ''' |
| 63 | +sequence by agent.id with maxspan=10s |
| 64 | +[network where data_stream.dataset == "network_traffic.http" and |
| 65 | + http.request.method == "POST" and |
| 66 | + http.request.body.content like "*WebKitFormBoundary*" and |
| 67 | + url.path like "*upload*.action"] |
| 68 | +[file where event.dataset == "endpoint.events.file" and |
| 69 | + host.os.type == "linux" and |
| 70 | + event.action == "creation" and |
| 71 | + process.name == "java" and |
| 72 | + (file.path like "/opt/tomcat/webapps/*" or |
| 73 | + file.path like "*/tomcat*/webapps/*" or |
| 74 | + file.path like "*/catalina/webapps/*" or |
| 75 | + file.path like "*/webapps/ROOT/*" or |
| 76 | + file.path like "*/webapps/*/") and |
| 77 | + file.extension == "jsp" and |
| 78 | + not file.path like "*/WEB-INF/*" and |
| 79 | + not file.path like "*/META-INF/*" and |
| 80 | + not process.parent.name in ("apt", "apt-get", "dpkg", "yum", "rpm", "dnf", "systemd", "init")] |
| 81 | +''' |
| 82 | + |
| 83 | + |
| 84 | +[[rule.threat]] |
| 85 | +framework = "MITRE ATT&CK" |
| 86 | +[[rule.threat.technique]] |
| 87 | +id = "T1190" |
| 88 | +name = "Exploit Public-Facing Application" |
| 89 | +reference = "https://attack.mitre.org/techniques/T1190/" |
| 90 | + |
| 91 | + |
| 92 | +[rule.threat.tactic] |
| 93 | +id = "TA0001" |
| 94 | +name = "Initial Access" |
| 95 | +reference = "https://attack.mitre.org/tactics/TA0001/" |
| 96 | + |
| 97 | +[[rule.threat]] |
| 98 | +framework = "MITRE ATT&CK" |
| 99 | +[[rule.threat.technique]] |
| 100 | +id = "T1505" |
| 101 | +name = "Server Software Component" |
| 102 | +reference = "https://attack.mitre.org/techniques/T1505/" |
| 103 | +[[rule.threat.technique.subtechnique]] |
| 104 | +id = "T1505.003" |
| 105 | +name = "Web Shell" |
| 106 | +reference = "https://attack.mitre.org/techniques/T1505/003/" |
| 107 | + |
| 108 | + |
| 109 | +[rule.threat.tactic] |
| 110 | +id = "TA0003" |
| 111 | +name = "Persistence" |
| 112 | +reference = "https://attack.mitre.org/tactics/TA0003/" |
0 commit comments