heroui logo

Suspicious File Write to Webapps Root Directory

Sigma Rules

View Source
Summary
This detection rule identifies potentially malicious activities involving file writes to the root directory of web applications, specifically targeting Apache and Tomcat servers. It recognizes file events that involve certain executables, such as 'dotnet.exe', 'w3wp.exe', and 'java.exe', as well as file paths indicating a possible web application root directory (\webapps\ROOT\). By monitoring for specific context, such as files with a '.jsp' extension, this rule aims to pinpoint unauthorized deployments of scripts or web shells which could compromise web application integrity. The rule operates under a medium severity level and highlights that any detection under these parameters should be considered suspicious, potentially indicative of an adversary attempting persistence or initial access into a system. This rule's effectiveness hinges on specific criteria matching the aforementioned conditions, making it essential for the robust monitoring of web application environments to identify such threats promptly.
Categories
  • Web
  • Application
  • On-Premise
  • Cloud
Data Sources
  • File
  • Process
  • Web Credential
Created: 2025-10-20