[New Rule] Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation #5344
Description
Missing detection for CVE-2023-50164 exploitation to webshell deployment chain. CVE-2023-50164 is a file upload vuln that enables adversaries to deploy malicious java server pages (JSP) in the web apps directory that act as a webshell.
This is a multi-domain rule that leverages network packet capture (NPC) data to identify specific HTTP contents that signal the exploit attempt in addition to JSP files being written to web app directories by Java. These are correlated by agent ID which is expected to be deployed on the Linux endpoint, collecting Elastic Defend and NPC data.
sequence by agent.id with maxspan=10s
[network where data_stream.dataset == "network_traffic.http" and
http.request.method == "POST" and
http.request.body.content like "*WebKitFormBoundary*" and
url.path like "*upload*.action"]
[file where event.dataset == "endpoint.events.file" and
host.os.type == "linux" and
event.action == "creation" and
process.name == "java" and
(file.path like "/opt/tomcat/webapps/*" or
file.path like "*/tomcat*/webapps/*" or
file.path like "*/catalina/webapps/*" or
file.path like "*/webapps/ROOT/*" or
file.path like "*/webapps/*/") and
file.extension == "jsp" and
not file.path like "*/WEB-INF/*" and
not file.path like "*/META-INF/*" and
not process.parent.name in ("apt", "apt-get", "dpkg", "yum", "rpm", "dnf", "systemd", "init")]
Testing
We have emulated this and confirmed the query is accurate and matches most PoCs publicly available as well. Please see the TRADE stack for example data (date range == month of October).