Which SIEM platforms have a CVE-2021-26828 detection rule?

df00tech provides CVE-2021-26828 (CVE-2021-26828: OpenPLC ScadaBR Unrestricted File Upload RCE) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the CVE-2021-26828 detection?

The CVE-2021-26828 detection is rated critical severity with high confidence.

What are common false positives for CVE-2021-26828?

Common false positives for CVE-2021-26828 include: Legitimate WAR deployments by administrators to Tomcat/ScadaBR application directories; Authorized JSP development or customization of ScadaBR dashboards by ICS engineers; Security testing or vulnerability scanning tools uploading test payloads in authorized engagements.

CVE-2021-26828 Detection: CVE-2021-26828: OpenPLC ScadaBR Unrestricted File Upload RCE (KQL, SPL, Sigma + 5 SIEMs)

Q: What data sources are required to detect CVE-2021-26828: OpenPLC ScadaBR Unrestricted File Upload RCE (CVE-2021-26828)?

Detecting CVE-2021-26828: OpenPLC ScadaBR Unrestricted File Upload RCE requires the following data sources: Microsoft Defender for Endpoint, Azure Defender, Microsoft Sentinel DeviceFileEvents, DeviceProcessEvents, DeviceNetworkEvents.

Microsoft Sentinel / Defender

kusto

union DeviceNetworkEvents, DeviceProcessEvents, DeviceFileEvents
| where TimeGenerated > ago(24h)
| where (
    (ActionType == "FileCreated" and FolderPath matches regex @"(?i)(scadabr|openplc|tomcat)[/\\](webapps|upload|images)[/\\].*\.(jsp|jspx|php|war|sh|py|pl|rb|aspx|cfm)$")
    or (ActionType == "ProcessCreated" and InitiatingProcessFileName in~ ("java.exe", "java", "tomcat") and (ProcessCommandLine contains ".jsp" or ProcessCommandLine contains "cmd" or ProcessCommandLine contains "bash"))
    or (ActionType == "InboundConnectionAccepted" and RemotePort in (8080, 8443, 80, 443) and LocalPort in (8080, 8443))
)
| extend SuspiciousIndicator = case(
    ActionType == "FileCreated" and FolderPath matches regex @"(?i)\.(jsp|jspx|php|war)$", "WebShell upload to SCADA directory",
    ActionType == "ProcessCreated" and InitiatingProcessFileName in~ ("java.exe", "java"), "Java process spawning shell",
    "Suspicious SCADA web activity"
)
| project TimeGenerated, DeviceName, AccountName, ActionType, FolderPath, FileName, ProcessCommandLine, RemoteIP, SuspiciousIndicator
| order by TimeGenerated desc

Detects unrestricted file uploads to ScadaBR/OpenPLC web directories and subsequent web shell execution via Java/Tomcat processes on endpoints running SCADA software.

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint Azure Defender Microsoft Sentinel DeviceFileEvents DeviceProcessEvents DeviceNetworkEvents

Required Tables

DeviceFileEvents DeviceProcessEvents DeviceNetworkEvents

False Positives

Legitimate WAR deployments by administrators to Tomcat/ScadaBR application directories
Authorized JSP development or customization of ScadaBR dashboards by ICS engineers
Security testing or vulnerability scanning tools uploading test payloads in authorized engagements
Automated backup or configuration management tools creating files in web directories

Splunk

spl

index=* sourcetype IN ("WinEventLog:Security", "WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "access_combined", "tomcat_access")
| eval suspicious_upload=if(
    (sourcetype="access_combined" OR sourcetype="tomcat_access") AND
    (method="POST") AND
    (uri_path LIKE "%/upload%" OR uri_path LIKE "%/images%" OR uri_path LIKE "%/graphicViews%") AND
    match(uri_path, "\.(jsp|jspx|php|war|sh|py|pl|aspx)$"),
    "WebShell Upload Attempt", null()
)
| eval suspicious_exec=if(
    (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=1) AND
    (ParentImage LIKE "%java%" OR ParentImage LIKE "%tomcat%") AND
    (CommandLine LIKE "%cmd%" OR CommandLine LIKE "%powershell%" OR CommandLine LIKE "%bash%" OR CommandLine LIKE "%whoami%"),
    "Shell Spawned from Java Process", null()
)
| where isnotnull(suspicious_upload) OR isnotnull(suspicious_exec)
| eval detection_type=coalesce(suspicious_upload, suspicious_exec)
| table _time, host, src_ip, dest_ip, uri_path, method, CommandLine, ParentImage, detection_type
| sort -_time

Detects POST requests uploading dangerous file types to ScadaBR web paths and Java/Tomcat spawning command shells indicative of web shell execution following CVE-2021-26828 exploitation.

critical severity high confidence

Data Sources

Splunk Web Logs Sysmon for Windows Linux Syslog Tomcat Access Logs

Required Sourcetypes

access_combined tomcat_access WinEventLog:Microsoft-Windows-Sysmon/Operational linux_secure

False Positives

Authorized Tomcat application deployments by system administrators uploading WAR files
Legitimate ScadaBR plugin or module installations via the web interface
Development environments where engineers upload custom JSP views for HMI customization
Penetration testers conducting authorized assessments of ICS/SCADA infrastructure

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [file where event.action == "creation" and
   (
     file.path like~ "*/scadabr/*" or
     file.path like~ "*/openplc/*" or
     file.path like~ "*/tomcat/webapps/*"
   ) and
   file.extension in ("jsp", "jspx", "php", "war", "sh", "py", "pl", "aspx", "cfm")
  ]
  [process where event.action == "start" and
   (
     process.parent.name in ("java", "java.exe", "catalina.sh") or
     process.parent.executable like~ "*/jre/*"
   ) and
   process.name in ("cmd.exe", "powershell.exe", "bash", "sh", "python", "python3", "perl", "ruby", "nc", "ncat", "wget", "curl")
  ]

EQL sequence detecting file creation of dangerous file types in ScadaBR/Tomcat directories followed within 5 minutes by a command interpreter spawned from a Java parent process, indicating web shell upload and execution.

critical severity high confidence

Data Sources

Elastic Endpoint Auditbeat Filebeat

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-*

False Positives

Automated deployment pipelines that copy JSP files to Tomcat webapps directory before restarting services
ICS engineers deploying legitimate ScadaBR customizations via WAR packaging
Monitoring agents or health check scripts spawned from Java application servers
Load testing tools initiated by Java-based test frameworks

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  URL,
  "Method" AS http_method,
  "File Name" AS uploaded_file,
  username,
  CATEGORYNAME(category) AS event_category,
  QIDNAME(qid) AS event_name
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) IN ('Apache HTTP Server', 'Tomcat', 'Linux OS', 'Microsoft Windows Security Event Log')
  AND (
    ("Method" = 'POST' AND (
      URL LIKE '%/upload%' OR
      URL LIKE '%/graphicViews%' OR
      URL LIKE '%/images%' OR
      URL LIKE '%/scadabr%'
    ) AND (
      URL LIKE '%.jsp' OR URL LIKE '%.jspx' OR
      URL LIKE '%.php' OR URL LIKE '%.war' OR
      URL LIKE '%.sh' OR URL LIKE '%.aspx'
    ))
    OR
    (CATEGORYNAME(category) LIKE '%Process%' AND
     "Parent Process Name" LIKE '%java%' AND
     ("Process Name" LIKE '%cmd%' OR "Process Name" LIKE '%bash%' OR
      "Process Name" LIKE '%sh%' OR "Process Name" LIKE '%python%'))
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 500

QRadar AQL query detecting POST uploads of dangerous file types to ScadaBR web paths and Java processes spawning command interpreters, indicative of CVE-2021-26828 exploitation.

critical severity medium confidence

Data Sources

QRadar Network Activity QRadar Log Activity Apache/Tomcat Log Source Windows Security Events

Required Tables

events

False Positives

Legitimate administrative file uploads to ScadaBR through authorized management sessions
Automated build and deploy processes that push WAR files to Tomcat instances
Security scanning tools performing authorized vulnerability assessments of SCADA infrastructure
Development workflows where engineers deploy custom views or modules to ScadaBR

Sumo Logic CSE

sql

_sourceCategory=* ("scadabr" OR "openplc" OR "tomcat")
| parse "* * * \"* *\" * *" as client_ip, ident, auth_user, http_method, uri_path, response_code, bytes nodrop
| where http_method = "POST"
| where uri_path matches "/upload*" OR uri_path matches "/graphicViews*" OR uri_path matches "/images*"
| where uri_path matches "*.jsp" OR uri_path matches "*.jspx" OR uri_path matches "*.php" OR uri_path matches "*.war" OR uri_path matches "*.sh" OR uri_path matches "*.aspx"
| union (
  _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
  | json "event.action", "process.name", "process.parent.name", "process.command_line" as action, proc_name, parent_name, cmdline nodrop
  | where action = "process_created"
  | where parent_name matches "*java*" OR parent_name matches "*tomcat*"
  | where proc_name in ("cmd.exe", "powershell.exe", "bash", "sh", "python", "python3", "nc", "wget", "curl")
)
| count by _sourceHost, client_ip, uri_path, http_method, proc_name, parent_name
| sort by _count desc

Sumo Logic query identifying POST requests uploading dangerous file types to ScadaBR endpoints and Java processes launching shell interpreters, flagging potential CVE-2021-26828 exploitation.

critical severity medium confidence

Data Sources

Sumo Logic HTTP Source Sysmon via Sumo Logic Collector Tomcat Access Logs Linux Syslog

Required Tables

_sourceCategory=tomcat* _sourceCategory=*sysmon* _sourceCategory=*endpoint*

False Positives

Authorized uploads of JSP-based custom dashboards by ScadaBR administrators
Tomcat WAR deployment during maintenance windows by operations teams
Java-based monitoring agents that spawn shell commands for health checks
Authorized penetration testing activities targeting ICS/SCADA web interfaces

Google Chronicle / SecOps

yaral

rule cve_2021_26828_scadabr_unrestricted_upload {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2021-26828: OpenPLC ScadaBR unrestricted file upload leading to RCE"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2021-26828"

  events:
    (
      $upload.metadata.event_type = "NETWORK_HTTP"
      $upload.network.http.method = "POST"
      (
        $upload.network.http.target_url = /\/upload/ nocase or
        $upload.network.http.target_url = /\/graphicViews/ nocase or
        $upload.network.http.target_url = /\/images\// nocase
      )
      (
        $upload.network.http.target_url = /\.jsp($|\?)/ nocase or
        $upload.network.http.target_url = /\.jspx($|\?)/ nocase or
        $upload.network.http.target_url = /\.php($|\?)/ nocase or
        $upload.network.http.target_url = /\.war($|\?)/ nocase or
        $upload.network.http.target_url = /\.sh($|\?)/ nocase
      )
      $upload.principal.ip = $src_ip
      $upload.target.hostname = $target_host
    )
    or
    (
      $exec.metadata.event_type = "PROCESS_LAUNCH"
      (
        $exec.principal.process.file.full_path = /java/ nocase or
        $exec.principal.process.file.full_path = /catalina/ nocase
      )
      (
        $exec.target.process.file.full_path = /cmd\.exe/ nocase or
        $exec.target.process.file.full_path = /powershell/ nocase or
        $exec.target.process.file.full_path = /\/bin\/bash/ nocase or
        $exec.target.process.file.full_path = /\/bin\/sh/ nocase or
        $exec.target.process.file.full_path = /python/ nocase
      )
      $exec.principal.hostname = $target_host
    )

  condition:
    $upload or $exec
}

Chronicle YARA-L rule detecting HTTP POST uploads of dangerous file extensions to ScadaBR paths and Java/Tomcat spawning command interpreters, covering both the upload phase and post-exploitation execution of CVE-2021-26828.

critical severity high confidence

Data Sources

Google Chronicle SIEM Chronicle UDM Network HTTP Events Process Launch Events

Required Tables

UDM Events - NETWORK_HTTP UDM Events - PROCESS_LAUNCH

False Positives

Authorized ScadaBR module deployments using WAR or JSP files by ICS administrators
Legitimate Java application maintenance scripts spawning shell commands during update processes
Authorized security assessment activities targeting ScadaBR instances in test environments
Automated CI/CD pipeline deployments pushing web application artifacts to Tomcat

CrowdStrike LogScale (CQL)

cql

#event_simpleName IN (FileCreateInfo, ProcessRollup2, NetworkConnectIP4)
| $target_process_name = ProcessImageFileName
| $parent_process_name = ParentBaseFileName
// Detect web shell file creation in SCADA directories
| case {
    $event_simpleName = "FileCreateInfo"
      AND (TargetFileName LIKE "%scadabr%" OR TargetFileName LIKE "%openplc%" OR TargetFileName LIKE "%tomcat%webapps%")
      AND (TargetFileName LIKE "%.jsp" OR TargetFileName LIKE "%.jspx" OR TargetFileName LIKE "%.php" OR TargetFileName LIKE "%.war" OR TargetFileName LIKE "%.sh" OR TargetFileName LIKE "%.aspx")
      => $detection = "WebShell Upload to SCADA Directory";
    // Detect Java process spawning shells
    $event_simpleName = "ProcessRollup2"
      AND ($parent_process_name LIKE "%java%" OR $parent_process_name LIKE "%catalina%")
      AND ($target_process_name IN ("cmd.exe", "powershell.exe", "bash", "sh", "python", "python3", "nc", "ncat", "wget", "curl", "whoami", "id"))
      => $detection = "Shell Spawned From Java SCADA Process";
    // Detect suspicious outbound from Java processes (reverse shell)
    $event_simpleName = "NetworkConnectIP4"
      AND ($target_process_name LIKE "%java%")
      AND RemotePort NOT IN ("80", "443", "8080", "8443", "1099")
      => $detection = "Suspicious Java Outbound Connection (Possible Reverse Shell)";
}
| $detection != null
| groupby([aid, ComputerName, UserName, $detection, TargetFileName, $target_process_name, $parent_process_name, RemoteAddressIP4, RemotePort])
| sort(timestamp, order=desc)

CrowdStrike Falcon query detecting web shell uploads to ScadaBR/Tomcat directories, Java processes spawning command interpreters, and suspicious outbound connections from Java processes indicating reverse shell activity following CVE-2021-26828 exploitation.

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon Event Stream Process Telemetry File Telemetry Network Telemetry

Required Tables

FileCreateInfo ProcessRollup2 NetworkConnectIP4

False Positives

Authorized deployment of WAR applications to Tomcat by operations teams during change windows
Legitimate ScadaBR customizations where engineers deploy custom JSP graphic views
Java-based monitoring or agent software making outbound connections to non-standard ports for telemetry
Automated update mechanisms for OpenPLC or ScadaBR that download and deploy new versions

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2021-26828 CVE-2021-26828: OpenPLC ScadaBR Unrestricted File Upload RCE?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2021-26828

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox