diff --git a/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml b/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml new file mode 100644 index 00000000000..7dafcfd682f --- /dev/null +++ b/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml @@ -0,0 +1,151 @@ +[metadata] +creation_date = "2025/11/19" +integration = ["endpoint", "network_traffic"] +maturity = "production" +updated_date = "2025/11/19" + +[rule] +author = ["Elastic"] +description = """ +Identifies successful exploitation of CVE-2023-50164, a critical path traversal vulnerability in Apache Struts 2 file +upload functionality. This high-fidelity rule detects a specific attack sequence where a malicious multipart/form-data +POST request with WebKitFormBoundary is made to a Struts .action upload endpoint, immediately followed by the creation +of a JSP web shell file by a Java process in Tomcat's webapps directories. This correlated activity indicates active +exploitation resulting in remote code execution capability through unauthorized file upload and web shell deployment. +""" +false_positives = [ + """ + False positives are expected to be very rare due to the specific nature of this rule. Legitimate application + deployments typically do not involve multipart form uploads to .action endpoints followed immediately by JSP file + creation in webapps directories. However, custom deployment scripts or automated testing tools that simulate file + uploads could potentially trigger this alert. Review the source IP, user agent, uploaded file content, timing, and + deployment schedules to validate if the activity is authorized. Standard package manager operations are already + excluded from detection. + """, +] +from = "now-9m" +index = ["logs-endpoint.events.*", "logs-network_traffic.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation" +note = """## Triage and analysis + +### Investigating Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation + +CVE-2023-50164 is a critical path traversal vulnerability in Apache Struts 2 that allows attackers to manipulate file upload parameters and write malicious files to arbitrary locations on the web server. This vulnerability affects the file upload feature and enables attackers to bypass security controls, upload JSP-based web shells, and achieve remote code execution. This detection rule identifies the complete attack chain by correlating suspicious file upload requests to Struts endpoints with the subsequent creation of JSP files in web-accessible directories, indicating successful exploitation. + +### Possible investigation steps + +- Review the source IP address of the HTTP POST request to determine if it originates from a known malicious source, VPN/proxy service, or unexpected geographic location that does not align with legitimate application usage patterns. +- Examine the complete HTTP request details including headers, user agent string, and the full request body content to identify indicators of exploit code, path traversal attempts, or malicious payloads embedded in the multipart form data. +- Investigate the created JSP file by examining its contents, file name, creation timestamp, and file permissions to determine if it contains web shell code, command execution capabilities, or other malicious functionality. +- Check for any subsequent process execution, network connections, or file system activities originating from the Java process after the JSP file creation, which may indicate that the web shell has been accessed and used by the attacker. +- Review web server access logs for requests to the newly created JSP file path to identify if the attacker has attempted to access or execute the web shell, and capture any command execution or data exfiltration attempts. +- Examine the affected Struts application logs and Tomcat catalina logs for additional context about the file upload request, error messages, or anomalous behavior that occurred during the exploitation attempt. +- Identify the version of Apache Struts 2 running on the affected server to confirm if it is vulnerable to CVE-2023-50164 (versions prior to 2.5.33 or 6.3.0.2 are affected). +- Search for additional suspicious file creations, modifications, or deletions in the webapps directories that may indicate the attacker attempted multiple exploitation attempts or deployed additional persistence mechanisms. + +### False positive analysis + +- Legitimate application deployments using multipart form uploads to Struts endpoints followed by JSP file creation are uncommon but possible in custom deployment workflows. Review the source IP, user identity, and timing against known deployment schedules and authorized deployment systems. +- Automated testing frameworks or security scanning tools that test file upload functionality may trigger this rule if they upload files to Struts endpoints. Identify and exclude known security testing tools or authorized penetration testing activities based on source IP or user agent patterns. +- Development or staging environments where developers frequently test file upload features may generate alerts. Consider creating exceptions for non-production environments or restricting the rule to production systems only. +- CI/CD pipelines that deploy applications via multipart form uploads could potentially match this pattern, though this is rare. Review the deployment process and create exceptions for known automated deployment systems if necessary. + +### Response and remediation + +- Immediately isolate the affected web server from the network to prevent further exploitation, lateral movement, or data exfiltration by the attacker. +- Identify and delete the malicious JSP web shell file from the web server, ensuring you preserve a copy for forensic analysis and evidence collection. +- Terminate any active web shell sessions by restarting the Java application server process and reviewing all active network connections for suspicious activity. +- Review web server access logs to identify all IP addresses that accessed the web shell and block those IP addresses at the network perimeter to prevent re-exploitation. +- Conduct a comprehensive scan of the affected server for additional web shells, backdoors, persistence mechanisms, or signs of lateral movement to other systems in the environment. +- Patch the Apache Struts 2 installation to version 2.5.33, 6.3.0.2, or higher to remediate the CVE-2023-50164 vulnerability and prevent future exploitation attempts. +- Review and harden file upload configurations in Struts applications, implement strict input validation, restrict file upload locations, and consider implementing web application firewall (WAF) rules to detect and block path traversal attempts. +- Reset credentials for any accounts or services running on the compromised server, as the attacker may have captured sensitive information or credentials through the web shell. +- Escalate the incident to the security operations center (SOC) and incident response team for comprehensive investigation, threat hunting, and to determine if additional systems were compromised. +- Conduct a post-incident review to identify gaps in detection, response, and vulnerability management processes, and implement improvements to prevent similar incidents in the future. +""" +references = [ + "https://nvd.nist.gov/vuln/detail/CVE-2023-50164", + "https://www.trendmicro.com/en_us/research/23/l/decoding-cve-2023-50164--unveiling-the-apache-struts-file-upload.html", + "https://cwiki.apache.org/confluence/display/WW/S2-066", + "https://attack.mitre.org/techniques/T1505/003/", +] +risk_score = 73 +rule_id = "7f3e8b9a-2c4d-5e6f-8a1b-9c2d3e4f5a6b" +setup = """## Setup + +This rule requires data coming in from both Elastic Defend (for file events) and Network Packet Capture integrations (for HTTP traffic analysis). + +### Network Packet Capture Integration Setup + +**IMPORTANT**: This rule requires HTTP request body capture to be enabled in order to detect the multipart/form-data content containing WebKitFormBoundary indicators. The network traffic integration must be configured to capture HTTP request bodies for POST requests with `multipart/form-data` content type. +""" +severity = "high" +tags = [ + "Domain: Endpoint", + "Domain: Web", + "Domain: Network", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Network Traffic", + "Vulnerability: CVE-2023-50164", + "Resources: Investigation Guide", +] +type = "eql" + +query = ''' +sequence by agent.id with maxspan=10s +[network where data_stream.dataset == "network_traffic.http" and + http.request.method == "POST" and + http.request.body.content like "*WebKitFormBoundary*" and + url.path like~ "*upload*.action"] +[file where event.dataset == "endpoint.events.file" and + host.os.type == "linux" and + event.action == "creation" and + process.name == "java" and + (file.path like "/opt/tomcat/webapps/*" or + file.path like "*/tomcat*/webapps/*" or + file.path like "*/catalina/webapps/*" or + file.path like "*/webapps/ROOT/*" or + file.path like "*/webapps/*/") and + file.extension == "jsp" and + not file.path like "*/WEB-INF/*" and + not file.path like "*/META-INF/*" and + not process.parent.name in ("apt", "apt-get", "dpkg", "yum", "rpm", "dnf", "systemd", "init")] +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +