Merge PR #5620 from @swachchhanda000 - Commonvault vulnerabilities

new - Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
new - Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
new - Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
new - Suspicious File Write to Webapps Root Directory
---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>

rules-emerging-threats/2025/Exploits/CVE-2025-57788/proc_creation_win_exploit_cve_2025_57788.yml

@@ -0,0 +1,29 @@
+title: Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
+id: 917789e1-2c1f-4bf5-8c91-6f71a017f469
+status: experimental
+description: |
+    Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password.
+    This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials.
+references:
+    - https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-10-20
+tags:
+    - attack.initial-access
+    - attack.t1078.001
+    - detection.emerging-threats
+    - cve.2025-57788
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            - 'qlogin'
+            - '_+_PublicSharingUser_'
+        # Detects the use of a GUID as the password, which is indicative of an exploit attempt
+        CommandLine|re: '[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}'
+    condition: selection
+falsepositives:
+    - Legitimate administrative scripts that use the `_+_PublicSharingUser_` account for valid purposes.
+level: medium

rules-emerging-threats/2025/Exploits/CVE-2025-57790/proc_creation_win_exploit_cve_2025_57790.yml

@@ -0,0 +1,32 @@
+title: Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
+id: bd3b3fff-a018-4994-9876-68af5809160f
+status: experimental
+description: |
+    Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop.
+    This is a post-authentication step corresponding to CVE-2025-57790.
+references:
+    - https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-10-20
+tags:
+    - attack.persistence
+    - attack.t1505.003
+    - detection.emerging-threats
+    - cve.2025-57790
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        # qoperation execute -af F:\Program Files\Commvault\ContentStore\Reports\MetricsUpload\Upload\ABC1234\rekt.xml -file F:\Program Files\Commvault\ContentStore\Apache\webapps\ROOT\wT-poc.jsp
+        CommandLine|contains|all:
+            - 'qoperation'
+            - 'exec'
+            - ' -af '
+            - '.xml '
+            - '\Apache\webapps\ROOT\'
+            - '.jsp'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules-emerging-threats/2025/Exploits/CVE-2025-57791/proc_creation_win_exploit_cve_2025_57791.yml

@@ -0,0 +1,30 @@
+title: Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
+id: ff0225a0-1d9a-4bae-ab26-6038b18bb6d4
+status: experimental
+description: |
+    Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791.
+    An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token.
+references:
+    - https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
+author: X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-10-20
+tags:
+    - attack.initial-access
+    - attack.t1190
+    - detection.emerging-threats
+    - cve.2025-57791
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            - 'qlogin'
+            - ' -cs '
+            - ' -localadmin'
+            - ' -clp '
+            - '_localadmin__'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/file/file_event/file_event_win_susp_file_write_in_webapps_root.yml

@@ -0,0 +1,37 @@
+title: Suspicious File Write to Webapps Root Directory
+id: 89c42960-f244-4dad-9151-ae9b1a3287a2
+status: experimental
+description: |
+    Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers.
+    This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.
+references:
+    - https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-10-20
+tags:
+    - attack.persistence
+    - attack.t1505.003
+    - attack.initial-access
+    - attack.t1190
+logsource:
+    product: windows
+    category: file_event
+detection:
+    # Add more suspicious processes or paths or extensions as needed
+    selection_susp_img:
+        Image|endswith:
+            - '\dotnet.exe'
+            - '\w3wp.exe'
+            - '\java.exe'
+    selection_servers:
+        TargetFilename|contains:
+            - '\apache'
+            - '\tomcat'
+    selection_path:
+        TargetFilename|contains: '\webapps\ROOT\'
+    selection_susp_extensions:
+        TargetFilename|endswith: '.jsp'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium