|
| 1 | +[metadata] |
| 2 | +creation_date = "2025/12/02" |
| 3 | +integration = ["nginx", "apache", "apache_tomcat", "iis"] |
| 4 | +maturity = "production" |
| 5 | +updated_date = "2025/12/02" |
| 6 | + |
| 7 | +[rule] |
| 8 | +author = ["Elastic"] |
| 9 | +description = """ |
| 10 | +This rule detects potential Remote File Inclusion (RFI) activity on web servers by identifying HTTP GET requests that |
| 11 | +attempt to access sensitive remote files through directory traversal techniques or known file paths. Attackers may |
| 12 | +exploit RFI vulnerabilities to read sensitive files, gain system information, or further compromise the server. |
| 13 | +""" |
| 14 | +from = "now-9m" |
| 15 | +interval = "10m" |
| 16 | +language = "esql" |
| 17 | +license = "Elastic License v2" |
| 18 | +name = "Web Server Potential Remote File Inclusion Activity" |
| 19 | +risk_score = 21 |
| 20 | +rule_id = "45d099b4-a12e-4913-951c-0129f73efb41" |
| 21 | +severity = "low" |
| 22 | +tags = [ |
| 23 | + "Domain: Web", |
| 24 | + "Use Case: Threat Detection", |
| 25 | + "Tactic: Discovery", |
| 26 | + "Tactic: Command and Control", |
| 27 | + "Data Source: Nginx", |
| 28 | + "Data Source: Apache", |
| 29 | + "Data Source: Apache Tomcat", |
| 30 | + "Data Source: IIS", |
| 31 | +] |
| 32 | +timestamp_override = "event.ingested" |
| 33 | +type = "esql" |
| 34 | +query = ''' |
| 35 | +from |
| 36 | + logs-nginx.access-*, |
| 37 | + logs-apache.access-*, |
| 38 | + logs-apache_tomcat.access-*, |
| 39 | + logs-iis.access-* |
| 40 | +| where |
| 41 | + http.request.method == "GET" and |
| 42 | + http.response.status_code == 200 and |
| 43 | + url.original like "*=*" |
| 44 | +
|
| 45 | +| eval Esql.url_original_url_decoded_to_lower = to_lower(URL_DECODE(url.original)) |
| 46 | +
|
| 47 | +| where |
| 48 | + Esql.url_original_url_decoded_to_lower like "*=http://*" or |
| 49 | + Esql.url_original_url_decoded_to_lower like "*=https://*" or |
| 50 | + Esql.url_original_url_decoded_to_lower like "*=ftp://*" or |
| 51 | + Esql.url_original_url_decoded_to_lower like "*=smb://*" or |
| 52 | + Esql.url_original_url_decoded_to_lower like "*=file://*" or |
| 53 | + Esql.url_original_url_decoded_to_lower rlike """.*=.*[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.*""" |
| 54 | +
|
| 55 | +| keep |
| 56 | + @timestamp, |
| 57 | + Esql.url_original_url_decoded_to_lower, |
| 58 | + source.ip, |
| 59 | + agent.id, |
| 60 | + host.name, |
| 61 | + http.request.method, |
| 62 | + http.response.status_code, |
| 63 | + event.dataset |
| 64 | +
|
| 65 | +| stats |
| 66 | + Esql.event_count = count(), |
| 67 | + Esql.url_original_url_decoded_to_lower_count_distinct = count_distinct(Esql.url_original_url_decoded_to_lower), |
| 68 | + Esql.host_name_values = values(host.name), |
| 69 | + Esql.agent_id_values = values(agent.id), |
| 70 | + Esql.http_request_method_values = values(http.request.method), |
| 71 | + Esql.http_response_status_code_values = values(http.response.status_code), |
| 72 | + Esql.url_original_url_decoded_to_lower_values = values(Esql.url_original_url_decoded_to_lower), |
| 73 | + Esql.event_dataset_values = values(event.dataset) |
| 74 | + by source.ip |
| 75 | +''' |
| 76 | + |
| 77 | +[[rule.threat]] |
| 78 | +framework = "MITRE ATT&CK" |
| 79 | + |
| 80 | +[[rule.threat.technique]] |
| 81 | +id = "T1083" |
| 82 | +name = "File and Directory Discovery" |
| 83 | +reference = "https://attack.mitre.org/techniques/T1083/" |
| 84 | + |
| 85 | +[rule.threat.tactic] |
| 86 | +id = "TA0007" |
| 87 | +name = "Discovery" |
| 88 | +reference = "https://attack.mitre.org/tactics/TA0007/" |
| 89 | + |
| 90 | +[[rule.threat]] |
| 91 | +framework = "MITRE ATT&CK" |
| 92 | + |
| 93 | +[rule.threat.tactic] |
| 94 | +id = "TA0011" |
| 95 | +name = "Command and Control" |
| 96 | +reference = "https://attack.mitre.org/tactics/TA0011/" |
0 commit comments