Update rules/network/initial_access_potential_toolshell_exploit_attempt.toml

terrancedejesus · w0rk3r · web-flow · commit ac7d8c085701 · 2025-07-24T08:22:30.000-04:00
Co-authored-by: Jonhnathan &lt;26856693+w0rk3r@users.noreply.github.com&gt;
diff --git a/rules/network/initial_access_potential_toolshell_exploit_attempt.toml b/rules/network/initial_access_potential_toolshell_exploit_attempt.toml
@@ -42,13 +42,12 @@ type = "query"
 
 query = '''
 data_stream.dataset : "network_traffic.http" and
-    url.path: /_layouts*ToolPane.aspx and
+    url.path: (/_layouts*ToolPane.aspx* or /_layouts*toolpane.aspx*) and
     http.request.referrer: *SignOut.aspx and
-    http.request.headers.content-type: "application/x-www-form-urlencoded" and
     network.direction: "ingress" and
     http.request.method: "POST" and
     request: (*MSOTlPn_Uri* and *DisplayMode*) and
-    http.request.body.bytes >  5000
+    http.request.body.bytes >  2000
 '''
 
 
