Detects possible Java payloads in web access logs
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
Detects known suspicious (default) user-agents related to scanning/recon tools
Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication
When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~"
Detects XSS attempts injected via GET requests in access logs
Detects SSTI attempts sent via GET requests in access logs
Detects potential SQL injection attempts via GET requests in access logs.
Detects path traversal exploitation attempts
Detects exploitation attempt using the JNDI-Exploit-Kit
Detects common commands used in Windows webshells
Detects source code enumeration that use GET requests by keyword searches in URL strings
Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.