Emerging Threathighexperimental
Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop. This is a post-authentication step corresponding to CVE-2025-57790.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Mon Oct 20bd3b3fff-a018-4994-9876-68af5809160f2025
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic1 selector
detection:
selection:
# qoperation execute -af F:\Program Files\Commvault\ContentStore\Reports\MetricsUpload\Upload\ABC1234\rekt.xml -file F:\Program Files\Commvault\ContentStore\Apache\webapps\ROOT\wT-poc.jsp
CommandLine|contains|all:
- 'qoperation'
- 'exec'
- ' -af '
- '.xml '
- '\Apache\webapps\ROOT\'
- '.jsp'
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Tactics
Sub-techniques
Other
detection.emerging-threatscve.2025-57790
Rule Metadata
Rule ID
bd3b3fff-a018-4994-9876-68af5809160f
Status
experimental
Level
high
Type
Emerging Threat
Created
Mon Oct 20
Path
rules-emerging-threats/2025/Exploits/CVE-2025-57790/proc_creation_win_exploit_cve_2025_57790.yml
Raw Tags
attack.persistenceattack.t1505.003detection.emerging-threatscve.2025-57790