Data Source: Network Traffic

Initial Access via File Upload Followed by GET Request

Dec 8, 2025 · Domain: Endpoint Domain: Web Domain: Network OS: Linux OS: Windows OS: macOS Use Case: Threat Detection Tactic: Initial Access Tactic: Persistence Data Source: Elastic Defend Data Source: Network Traffic Resources: Investigation Guide ·
Share on:

This rule detects potential initial access activity where an adversary uploads a web shell or malicious script to a web server via a file upload mechanism (e.g., through a web form using multipart/form-data), followed by a GET or POST request to access the uploaded file. By checking the body content of HTTP requests for file upload indicators such as "Content-Disposition: form-data" and "filename=", the rule identifies suspicious upload activities. This sequence of actions is commonly used by attackers to gain and maintain access to compromised web servers.

Read More
Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation

Nov 24, 2025 · Domain: Endpoint Domain: Web Domain: Network OS: Linux Use Case: Threat Detection Tactic: Initial Access Tactic: Persistence Data Source: Elastic Defend Data Source: Network Traffic Resources: Investigation Guide ·
Share on:

Identifies successful exploitation of CVE-2023-50164, a critical path traversal vulnerability in Apache Struts 2 file upload functionality. This high-fidelity rule detects a specific attack sequence where a malicious multipart/form-data POST request with WebKitFormBoundary is made to a Struts .action upload endpoint, immediately followed by the creation of a JSP web shell file by a Java process in Tomcat's webapps directories. This correlated activity indicates active exploitation resulting in remote code execution capability through unauthorized file upload and web shell deployment.

Read More

Initial Access via File Upload Followed by GET Request

Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation