← Library
sigmaDRL-1.1from SigmaHQ/sigma

Path Traversal Exploitation Attempts

Detects path traversal exploitation attempts

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1190
Rule sourcerules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml
title: Path Traversal Exploitation Attempts
id: 7745c2ea-24a5-4290-b680-04359cb84b35
status: test
description: Detects path traversal exploitation attempts
references:
    - https://github.com/projectdiscovery/nuclei-templates
    - https://book.hacktricks.xyz/pentesting-web/file-inclusion
author: Subhash Popuri (@pbssubhash), Florian Roth (Nextron Systems), Thurein Oo, Nasreddine Bencherchali (Nextron Systems)
date: 2021-09-25
modified: 2023-08-31
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '../../../../../lib/password'
            - '../../../../windows/'
            - '../../../etc/'
            - '..%252f..%252f..%252fetc%252f'
            - '..%c0%af..%c0%af..%c0%afetc%c0%af'
            - '%252e%252e%252fetc%252f'
    condition: selection
falsepositives:
    - Expected to be continuously seen on systems exposed to the Internet
    - Internal vulnerability scanners
level: medium