{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/internet-information-services/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Nginx","Apache HTTP Server","Apache Tomcat","Internet Information Services","Traefik"],"_cs_severities":["medium"],"_cs_tags":["rfi","webserver","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Nginx","Apache Software Foundation","Microsoft","Traefik Labs"],"content_html":"\u003cp\u003eThis detection rule identifies potential Remote File Inclusion (RFI) attacks targeting web servers. RFI vulnerabilities allow attackers to inject malicious code by including remote files into the web server's application. The rule focuses on detecting HTTP GET requests with a 200 OK status code that contain suspicious URL parameters. These parameters attempt to access sensitive remote files using directory traversal techniques or directly specifying known file paths. This activity can lead to unauthorized access to sensitive information, system information disclosure, or further server compromise. The rule covers web servers like Nginx, Apache, Apache Tomcat, IIS, and Traefik. This activity is important for defenders to detect, as it can lead to significant data breaches and system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable web server endpoint that is susceptible to RFI.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request. This request includes a URL parameter (e.g., \u003ccode\u003epage=\u003c/code\u003e, \u003ccode\u003eurl=\u003c/code\u003e, \u003ccode\u003esrc=\u003c/code\u003e) with a URL pointing to a remote file or IP address controlled by the attacker. The URL can also leverage wrappers like \u003ccode\u003ephp://\u003c/code\u003e, \u003ccode\u003edata://\u003c/code\u003e, or \u003ccode\u003efile://\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim web server receives the malicious GET request.\u003c/li\u003e\n\u003cli\u003eThe web server processes the request and attempts to include the remote file specified in the URL parameter.\u003c/li\u003e\n\u003cli\u003eIf the web server is vulnerable, it successfully fetches the content from the attacker-controlled remote server.\u003c/li\u003e\n\u003cli\u003eThe attacker's malicious code or script within the included file is executed within the context of the web server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the web server's file system, configuration files, or sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker can then escalate privileges, install malware, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful RFI attacks can lead to severe consequences, including unauthorized access to sensitive data, system compromise, and potential data breaches. Attackers can leverage RFI to read configuration files, gain access to credentials, and execute arbitrary code on the web server. This could result in the loss of confidential information, disruption of services, or the complete takeover of the affected system. The impact of a successful RFI attack can range from information disclosure to full system compromise, depending on the severity of the vulnerability and the attacker's objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Web Server Potential Remote File Inclusion Activity\u0026quot; to your SIEM to detect suspicious GET requests containing remote URLs (see rules section).\u003c/li\u003e\n\u003cli\u003eInspect web server logs (Nginx, Apache, Apache Tomcat, IIS, and Traefik) for GET requests with status code 200 containing parameters with encoded URLs or raw IPs.\u003c/li\u003e\n\u003cli\u003eImplement and tune WAF rules to block suspicious include parameters (e.g., \u003ccode\u003epage=\u003c/code\u003e, \u003ccode\u003eurl=\u003c/code\u003e, or \u003ccode\u003esrc=\u003c/code\u003e) containing \u003ccode\u003ehttp://\u003c/code\u003e, \u003ccode\u003ehttps://\u003c/code\u003e, \u003ccode\u003eftp://\u003c/code\u003e, \u003ccode\u003esmb://\u003c/code\u003e, or \u003ccode\u003efile://\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRestrict outbound connections from web servers to known, trusted domains to prevent exploitation of RFI vulnerabilities.\u003c/li\u003e\n\u003cli\u003eSet PHP \u003ccode\u003eallow_url_include=Off\u003c/code\u003e and \u003ccode\u003eallow_url_fopen=Off\u003c/code\u003e in PHP configuration files to mitigate RFI vulnerabilities.\u003c/li\u003e\n\u003cli\u003eApply \u003ccode\u003eopen_basedir\u003c/code\u003e restrictions in PHP to limit the files that PHP scripts can access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:22:34Z","date_published":"2024-01-09T18:22:34Z","id":"https://feed.craftedsignal.io/briefs/2024-01-rfi-discovery/","summary":"This rule detects potential Remote File Inclusion (RFI) activity on web servers by identifying HTTP GET requests that attempt to access sensitive remote files through directory traversal techniques or known file paths, potentially leading to information disclosure or further compromise.","title":"Web Server Potential Remote File Inclusion Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-rfi-discovery/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Nginx","Apache HTTP Server","Apache Tomcat","Internet Information Services","Traefik"],"_cs_severities":["low"],"_cs_tags":["remote-file-inclusion","web-server","discovery"],"_cs_type":"advisory","_cs_vendors":["Nginx","Apache","Microsoft","Traefik"],"content_html":"\u003cp\u003eThis rule identifies potential Remote File Inclusion (RFI) attacks against web servers, specifically targeting Nginx, Apache, Apache Tomcat, IIS, and Traefik. The detection logic focuses on HTTP GET requests that receive a 200 OK response and include URL parameters that contain remote URLs or raw IP addresses. The rule is designed to detect attempts to exploit RFI vulnerabilities, where attackers try to force the application to fetch external content or reveal local files. The rule uses esql and url decoding to normalize the request before checking for suspicious URL schemes and IP addresses. The minimum stack version is 9.2.0 to support the esql url_decode() operator.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a web server running a vulnerable application (e.g., PHP application on Apache).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request containing a URL parameter (e.g., \u003ccode\u003epage\u003c/code\u003e) designed to exploit an RFI vulnerability.\u003c/li\u003e\n\u003cli\u003eThe malicious GET request includes a remote URL (e.g., \u003ccode\u003ehttp://203.0.113.10/drop.txt\u003c/code\u003e) or an IP address within the vulnerable parameter.\u003c/li\u003e\n\u003cli\u003eThe web server processes the request and attempts to fetch the remote content specified in the URL.\u003c/li\u003e\n\u003cli\u003eIf successful (HTTP 200 OK), the remote content is included in the web server's response.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the inclusion of the remote file to execute arbitrary code or access sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RFI to further compromise the web server, potentially installing a webshell or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful RFI attack can lead to the disclosure of sensitive information, arbitrary code execution, and complete compromise of the web server. This can result in data breaches, service disruption, and reputational damage. The elastic rule considers attacks against Nginx, Apache, Apache Tomcat, IIS, and Traefik web servers, impacting any organizations utilizing these platforms.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eBlock the identified malicious IP \u003ccode\u003e203.0.113.10\u003c/code\u003e at the firewall or intrusion prevention system based on its context as an example RFI probe.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the \u003ccode\u003eurl.original\u003c/code\u003e field in the logs to understand the attempted RFI.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-web-server-rfi/","summary":"This rule detects potential Remote File Inclusion (RFI) activity on web servers by identifying HTTP GET requests that attempt to access sensitive remote files through directory traversal techniques or known file paths to read sensitive files, gain system information, or further compromise the server.","title":"Web Server Remote File Inclusion Activity Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-web-server-rfi/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Nginx","Apache HTTP Server","Apache Tomcat","Internet Information Services","Traefik"],"_cs_severities":["low"],"_cs_tags":["web-server","fuzzing","reconnaissance","web-application"],"_cs_type":"advisory","_cs_vendors":["Nginx","Apache Software Foundation","Microsoft","Traefik Labs"],"content_html":"\u003cp\u003eThis rule detects potential reconnaissance activity against web servers, specifically web server discovery or fuzzing. The activity is characterized by a single source IP address generating a high volume of HTTP GET requests that result in 404 (Not Found) or 403 (Forbidden) status codes within a short time period. The logic is based on analysis of web server logs from Nginx, Apache, Apache Tomcat, IIS, and Traefik. Such patterns typically indicate an attacker is trying to discover hidden or unlinked resources, potentially identifying vulnerabilities or sensitive information disclosure points on the web server. This discovery phase can often precede more targeted attacks. The detection logic triggers when more than 500 events from a single source IP are observed, involving more than 250 distinct URL requests.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker initiates a connection to the target web server using an automated tool.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a large number of HTTP GET requests to the web server, probing various URLs and paths.\u003c/li\u003e\n\u003cli\u003eThe web server responds to the requests, often returning 404 (Not Found) or 403 (Forbidden) status codes for non-existent or restricted resources.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the HTTP response codes to identify potentially accessible or vulnerable resources.\u003c/li\u003e\n\u003cli\u003eIf accessible resources are found (e.g., administrative interfaces, backup files), the attacker attempts to access them.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt further exploitation based on discovered vulnerabilities or accessible resources.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the web server or sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities such as data theft, defacement, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful web server discovery and fuzzing can lead to the identification of sensitive files (e.g., configuration files, backups), vulnerable endpoints (e.g., administrative interfaces), and insecure configurations. An attacker can leverage this information to gain unauthorized access, leading to data breaches, system compromise, or service disruption. The severity of the impact depends on the nature of the exposed resources and the attacker's capabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eWeb Server Fuzzing Detection\u003c/code\u003e to your SIEM and tune the threshold based on your environment's baseline traffic to reduce false positives.\u003c/li\u003e\n\u003cli\u003eReview web server logs for patterns matching the description in the \u003ccode\u003eOverview\u003c/code\u003e to identify potential attackers.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on your web servers and WAF to mitigate the impact of web server discovery and fuzzing attempts, based on the analysis of \u003ccode\u003ehttp.request.method\u003c/code\u003e and \u003ccode\u003ehttp.response.status_code\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnsure that sensitive files and directories are properly secured and not publicly accessible, reviewing access control configurations on the web server.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to common sensitive paths (e.g., /.env, /.git, /admin), using a rule targeting the \u003ccode\u003eurl.original\u003c/code\u003e field, to detect unauthorized access attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-web-server-fuzzing/","summary":"Detection of web server discovery or fuzzing activity indicated by a high volume of HTTP GET requests resulting in 404 or 403 status codes originating from a single source IP address within a short timeframe, suggesting attempts to discover hidden resources.","title":"Web Server Discovery or Fuzzing Activity Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-web-server-fuzzing/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Nginx","Apache HTTP Server","Apache Tomcat","Internet Information Services","Traefik"],"_cs_severities":["low"],"_cs_tags":["reconnaissance","web-server","fuzzing"],"_cs_type":"advisory","_cs_vendors":["Nginx","Apache","Microsoft","Traefik Labs"],"content_html":"\u003cp\u003eThis detection identifies web server reconnaissance and fuzzing attempts. The rule is triggered when a single source IP address generates a high volume of HTTP GET requests that result in 404 (Not Found) or 403 (Forbidden) status codes within a short period. This behavior suggests an attacker is trying to discover hidden or unlinked resources on a web server, a common initial step before more targeted attacks. This is achieved by counting events and distinct URLs accessed from logs across Nginx, Apache, Apache Tomcat, IIS, and Traefik web servers. The rule triggers if more than 500 events and 250 distinct URLs are observed from a single IP address within the monitored timeframe.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker initiates network connections to a target web server (Nginx, Apache, etc.).\u003c/li\u003e\n\u003cli\u003eThe attacker sends a series of HTTP GET requests to various URLs, often using a wordlist.\u003c/li\u003e\n\u003cli\u003eThe web server processes each request and returns HTTP status codes.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the HTTP status codes to identify existing resources.\u003c/li\u003e\n\u003cli\u003eA large number of 404 (Not Found) or 403 (Forbidden) responses indicate a fuzzing attempt.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies potentially vulnerable or misconfigured resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to exploit discovered vulnerabilities.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation could lead to information disclosure or unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful web server discovery enables attackers to map out a web application's structure and identify potential vulnerabilities or misconfigurations. This reconnaissance can precede more severe attacks, such as unauthorized access to sensitive data, code execution, or denial-of-service attacks. While this rule has low severity, successful reconnaissance can lead to high impact outcomes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eHigh Volume of 404/403 GET Requests\u003c/code\u003e to your SIEM and tune the threshold (events \u0026gt; 500 and URLs \u0026gt; 250) for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to identify the source IP address and the target web server, then check the associated logs.\u003c/li\u003e\n\u003cli\u003eReview WAF/CDN logs for rate limiting and blocks related to the suspicious source IP, as recommended in the overview.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on web servers to mitigate the impact of web server discovery and fuzzing attempts, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eHarden the web tier by disabling directory listing and default app endpoints, blocking patterns like /.git/, /.env, and /backup.zip at the WAF, and restricting origin access to CDN egress only, as mentioned in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-web-server-recon/","summary":"Detection of potential web server discovery or fuzzing activity characterized by a high volume of HTTP GET requests resulting in 404 or 403 status codes originating from a single source IP address within a short timeframe, indicating attackers are probing for hidden resources.","title":"Web Server Discovery or Fuzzing Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-web-server-recon/"}],"language":"en","title":"CraftedSignal Threat Feed - Internet Information Services","version":"https://jsonfeed.org/version/1.1"}