Update rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml

terrancedejesus · web-flow · commit c186d5834380 · 2025-11-24T14:36:19.000-05:00
diff --git a/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml b/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml
@@ -98,23 +98,19 @@ type = "eql"
 
 query = '''
 sequence by agent.id with maxspan=10s
-[network where data_stream.dataset == "network_traffic.http" and
-    http.request.method == "POST" and
-    http.request.body.content like "*WebKitFormBoundary*" and
-    url.path like~ "*upload*.action"]
-[file where event.dataset == "endpoint.events.file" and
-    host.os.type == "linux" and
-    event.action == "creation" and
-    process.name == "java" and
-    (file.path like "/opt/tomcat/webapps/*" or
-    file.path like "*/tomcat*/webapps/*" or
-    file.path like "*/catalina/webapps/*" or
-    file.path like "*/webapps/ROOT/*" or
-    file.path like "*/webapps/*/") and
-    file.extension == "jsp" and
-    not file.path like "*/WEB-INF/*" and
-    not file.path like "*/META-INF/*" and
-    not process.parent.name in ("apt", "apt-get", "dpkg", "yum", "rpm", "dnf", "systemd", "init")]
+  [network where data_stream.dataset == "network_traffic.http" and
+      http.request.method == "POST" and
+      http.request.body.content like "*WebKitFormBoundary*" and
+      url.path like~ "*upload*.action"]
+  [file where event.dataset == "endpoint.events.file" and
+      host.os.type == "linux" and
+      event.action == "creation" and
+      process.name == "java" and
+      file.extension == "jsp" and
+      file.path like "*/webapps/*" and
+      not file.path like "*/WEB-INF/*" and
+      not file.path like "*/META-INF/*" and
+      not process.parent.name in ("apt", "apt-get", "dpkg", "yum", "rpm", "dnf", "systemd", "init")]
 '''
 
 
