Web Server Potential Remote File Inclusion Activity

This rule detects potential Remote File Inclusion (RFI) activity on web servers by identifying HTTP GET requests that attempt to access sensitive remote files through directory traversal techniques or known file paths. Attackers may exploit RFI vulnerabilities to read sensitive files, gain system information, or further compromise the server.

Rule type: esql
Rule indices:

Rule Severity: low
Risk Score: 21
Runs every: 10m
Searches indices from: now-11m
Maximum alerts per execution: ?
References:

Tags:

Domain: Web
Use Case: Threat Detection
Tactic: Discovery
Tactic: Command and Control
Data Source: Nginx
Data Source: Apache
Data Source: Apache Tomcat
Data Source: IIS

Version: ?
Rule authors:

Elastic

Rule license: Elastic License v2

Rule Query

		from
  logs-nginx.access-*,
  logs-apache.access-*,
  logs-apache_tomcat.access-*,
  logs-iis.access-*
| where
    http.request.method == "GET" and
    http.response.status_code == 200 and
    url.original like "*=*"

| eval Esql.url_original_url_decoded_to_lower = to_lower(URL_DECODE(url.original))

| where
    Esql.url_original_url_decoded_to_lower like "*=http://*" or
    Esql.url_original_url_decoded_to_lower like "*=https://*" or
    Esql.url_original_url_decoded_to_lower like "*=ftp://*" or
    Esql.url_original_url_decoded_to_lower like "*=smb://*" or
    Esql.url_original_url_decoded_to_lower like "*=file://*" or
    Esql.url_original_url_decoded_to_lower rlike """.*=.*[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.*"""

| keep
    @timestamp,
    Esql.url_original_url_decoded_to_lower,
    source.ip,
    agent.id,
    host.name,
    http.request.method,
    http.response.status_code,
    event.dataset,
    data_stream.namespace

| stats
    Esql.event_count = count(),
    Esql.url_original_url_decoded_to_lower_count_distinct = count_distinct(Esql.url_original_url_decoded_to_lower),
    Esql.host_name_values = values(host.name),
    Esql.agent_id_values = values(agent.id),
    Esql.http_request_method_values = values(http.request.method),
    Esql.http_response_status_code_values = values(http.response.status_code),
    Esql.url_original_url_decoded_to_lower_values = values(Esql.url_original_url_decoded_to_lower),
    Esql.event_dataset_values = values(event.dataset),
    Esql.data_stream_namespace_values = values(data_stream.namespace)
    by source.ip
		
	

Framework: MITRE ATT&CK

Tactic:
- Name: Discovery
- Id: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: File and Directory Discovery
- Id: T1083
- Reference URL: https://attack.mitre.org/techniques/T1083/

Framework: MITRE ATT&CK

Tactic:
- Name: Command and Control
- Id: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/