Florian Roth
26 lines
752 B
YAML
26 lines
752 B
YAML
title: Path Traversal Exploitation Attempts
|
|
id: 7745c2ea-24a5-4290-b680-04359cb84b35
|
|
author: Subhash Popuri (@pbssubhash), Florian Roth (generalisation)
|
|
date: 2021/09/25
|
|
status: experimental
|
|
description: Detects path traversal exploitation attempts
|
|
references:
|
|
- https://github.com/projectdiscovery/nuclei-templates
|
|
logsource:
|
|
category: webserver
|
|
detection:
|
|
selection:
|
|
c-uri|contains:
|
|
- '../../../../../etc/passwd'
|
|
- '../../../../windows/'
|
|
- '../../../../../lib/password'
|
|
condition: selection
|
|
false_positives:
|
|
- Happens all the time on systems exposed to the Internet
|
|
- Penetration testing activity on internal systems
|
|
- Internal vulnerability scanners
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.t1190
|
|
level: medium
|