Multiple Suspicious Resp Codes Caused by Single Client

Apr 21, 2023 · attack.initial_access attack.t1190 ·

Detects possible exploitation activity or bugs in a web application

Sigma rule (View on GitHub)

 1title: Multiple Suspicious Resp Codes Caused by Single Client
 2id: 6fdfc796-06b3-46e8-af08-58f3505318af
 3status: unsupported
 4description: Detects possible exploitation activity or bugs in a web application
 5author: Thomas Patzke
 6date: 2017/02/19
 7modified: 2023/03/24
 8tags:
 9    - attack.initial_access
10    - attack.t1190
11logsource:
12    category: webserver
13detection:
14    selection:
15        sc-status:
16            - 400
17            - 401
18            - 403
19            - 500
20    timeframe: 10m
21    condition: selection | count() by clientip > 10
22fields:
23    - client_ip
24    - vhost
25    - url
26    - response
27falsepositives:
28    - Unstable application
29    - Application that misuses the response codes
30level: medium

Related rules

OMIGOD SCX RunAsProvider ExecuteScript
Terminal Service Process Spawn
Suspicious SQL Error Messages
Hack Tool User Agent
Suspicious MSExchangeMailboxReplication ASPX Write