Suspicious File Write to Webapps Root Directory

 1title: Suspicious File Write to Webapps Root Directory
 2id: 89c42960-f244-4dad-9151-ae9b1a3287a2
 3status: experimental
 4description: |
 5    Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers.
 6    This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.    
 7references:
 8    - https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
 9author: Swachchhanda Shrawan Poudel (Nextron Systems)
10date: 2025-10-20
11tags:
12    - attack.persistence
13    - attack.t1505.003
14    - attack.initial-access
15    - attack.t1190
16logsource:
17    product: windows
18    category: file_event
19detection:
20    # Add more suspicious processes or paths or extensions as needed
21    selection_susp_img:
22        Image|endswith:
23            - '\dotnet.exe'
24            - '\w3wp.exe'
25            - '\java.exe'
26    selection_servers:
27        TargetFilename|contains:
28            - '\apache'
29            - '\tomcat'
30    selection_path:
31        TargetFilename|contains: '\webapps\ROOT\'
32    selection_susp_extensions:
33        TargetFilename|endswith: '.jsp'
34    condition: all of selection_*
35falsepositives:
36    - Unknown
37level: medium