Detect CVE-2021-26828: OpenPLC ScadaBR Unrestricted File Upload RCE in Google Chronicle
Detects exploitation of CVE-2021-26828, an unrestricted file upload vulnerability in OpenPLC ScadaBR that allows authenticated attackers to upload files with dangerous types (e.g., JSP, PHP, WAR) to the server, leading to remote code execution. ScadaBR is a SCADA/HMI web application widely used in industrial control systems. This vulnerability is actively exploited in the wild and listed in CISA KEV.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
YARA-L Detection Query
rule cve_2021_26828_scadabr_unrestricted_upload {
meta:
author = "df00tech Detection Engineering"
description = "Detects CVE-2021-26828: OpenPLC ScadaBR unrestricted file upload leading to RCE"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2021-26828"
events:
(
$upload.metadata.event_type = "NETWORK_HTTP"
$upload.network.http.method = "POST"
(
$upload.network.http.target_url = /\/upload/ nocase or
$upload.network.http.target_url = /\/graphicViews/ nocase or
$upload.network.http.target_url = /\/images\// nocase
)
(
$upload.network.http.target_url = /\.jsp($|\?)/ nocase or
$upload.network.http.target_url = /\.jspx($|\?)/ nocase or
$upload.network.http.target_url = /\.php($|\?)/ nocase or
$upload.network.http.target_url = /\.war($|\?)/ nocase or
$upload.network.http.target_url = /\.sh($|\?)/ nocase
)
$upload.principal.ip = $src_ip
$upload.target.hostname = $target_host
)
or
(
$exec.metadata.event_type = "PROCESS_LAUNCH"
(
$exec.principal.process.file.full_path = /java/ nocase or
$exec.principal.process.file.full_path = /catalina/ nocase
)
(
$exec.target.process.file.full_path = /cmd\.exe/ nocase or
$exec.target.process.file.full_path = /powershell/ nocase or
$exec.target.process.file.full_path = /\/bin\/bash/ nocase or
$exec.target.process.file.full_path = /\/bin\/sh/ nocase or
$exec.target.process.file.full_path = /python/ nocase
)
$exec.principal.hostname = $target_host
)
condition:
$upload or $exec
}Chronicle YARA-L rule detecting HTTP POST uploads of dangerous file extensions to ScadaBR paths and Java/Tomcat spawning command interpreters, covering both the upload phase and post-exploitation execution of CVE-2021-26828.
Data Sources
Required Tables
False Positives & Tuning
- Authorized ScadaBR module deployments using WAR or JSP files by ICS administrators
- Legitimate Java application maintenance scripts spawning shell commands during update processes
- Authorized security assessment activities targeting ScadaBR instances in test environments
- Automated CI/CD pipeline deployments pushing web application artifacts to Tomcat
Other platforms for CVE-2021-26828
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Upload JSP Web Shell to ScadaBR Upload Endpoint
Expected signal: HTTP POST to /ScadaBR/upload.shtm with multipart form data containing .jsp file; Tomcat access log shows 200 response; file creation event for .jsp file in webapps directory
- Test 2Execute OS Command via Uploaded JSP Web Shell
Expected signal: Java process (Tomcat JVM) spawning child process for id, whoami, cat commands; Sysmon Event ID 1 with ParentImage containing java; process command line containing /etc/passwd
- Test 3Establish Reverse Shell from ScadaBR Server via Web Shell
Expected signal: Java process spawning bash with /dev/tcp redirect; outbound TCP connection from ScadaBR host to ATTACKER_IP:4444; network flow event with non-standard destination port from Java process
- Test 4Upload PHP Web Shell as Image File Bypass
Expected signal: POST request to upload endpoint with PHP file disguised as image; file creation event showing PHP content in webapps directory; Content-Type mismatch between declared image/jpeg and actual PHP content
Unlock Pro Content
Get the full detection package for CVE-2021-26828 including response playbook, investigation guide, and atomic red team tests.