Suspicious File Write to Webapps Root Directory

Original Source: [Sigma source]
Title: Suspicious File Write to Webapps Root Directory
Status: experimental
Description:Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers. This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.
References:
  -https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2025-10-20
modified:None
Tags:
  • -'attack.persistence'
  • -'attack.t1505.003'
  • -'attack.initial-access'
  • -'attack.t1190'
Logsource:
  • product: windows
  • category: file_event
Detection:
  selection_susp_img:
    Image|endswith:
      -'\dotnet.exe'
      -'\w3wp.exe'
      -'\java.exe'

  selection_servers:
    TargetFilename|contains:
      -'\apache'
      -'\tomcat'

  selection_path:
    TargetFilename|contains: '\webapps\ROOT\'
  selection_susp_extensions:
    TargetFilename|endswith: '.jsp'
  condition:all of selection_*
Falsepositives:
  -Unknown
Level: medium