Suspicious File Write to Webapps Root Directory

Rule Info

Name
Suspicious File Write to Webapps Root Directory
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers. This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.
Reference
https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
Date
2025-10-20 00:00:00
Modified
None
Id
89c42960-f244-4dad-9151-ae9b1a3287a2
Tags
attack.persistence attack.t1505.003 attack.initial-access attack.t1190
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=89c42960-f244-4dad-9151-ae9b1a3287a2

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5620 from @swachchhanda000 - Commonvault vulnerabilities
2025-10-20
a532ddb63
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022