Path Traversal Exploitation Attempts

Detects path traversal exploitation attempts

Sigma rule (View on GitHub)

 1title: Path Traversal Exploitation Attempts
 2id: 7745c2ea-24a5-4290-b680-04359cb84b35
 3status: test
 4description: Detects path traversal exploitation attempts
 5references:
 6    - https://github.com/projectdiscovery/nuclei-templates
 7    - https://book.hacktricks.xyz/pentesting-web/file-inclusion
 8author: Subhash Popuri (@pbssubhash), Florian Roth (Nextron Systems), Thurein Oo, Nasreddine Bencherchali (Nextron Systems)
 9date: 2021-09-25
10modified: 2023-08-31
11tags:
12    - attack.initial-access
13    - attack.t1190
14logsource:
15    category: webserver
16detection:
17    selection:
18        cs-uri-query|contains:
19            - '../../../../../lib/password'
20            - '../../../../windows/'
21            - '../../../etc/'
22            - '..%252f..%252f..%252fetc%252f'
23            - '..%c0%af..%c0%af..%c0%afetc%c0%af'
24            - '%252e%252e%252fetc%252f'
25    condition: selection
26falsepositives:
27    - Expected to be continuously seen on systems exposed to the Internet
28    - Internal vulnerability scanners
29level: medium

References

Related rules

to-top