Detect Local File InclusionLFI in web requests ASIM Web Session
| Id | 7bb55d05-ef39-4a40-8079-0bc3c05e7881 |
| Rulename | Detect Local File Inclusion(LFI) in web requests (ASIM Web Session) |
| Description | LFI vulnerabilities allow an attacker to read (and sometimes execute) files on the victim machine. This can be very dangerous because if the web server is misconfigured and running with high privileges, the attacker may gain access to sensitive information |
| Severity | High |
| Tactics | InitialAccess Execution |
| Techniques | T1190 T1133 T1059 |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/LocalFileInclusion-LFI.yaml |
| Version | 1.0.0 |
| Arm template | 7bb55d05-ef39-4a40-8079-0bc3c05e7881.json |
let lookback = 5m;
let LFI_Indicators = materialize(externaldata(Indicators: string)
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/LocalFileInclusionIndicators.csv"]
with(format="csv", ignoreFirstRecord=True));
let CustomLocalFileInclusionIndicators = (_ASIM_GetWatchlistRaw("Web_LocalFileInclusionIndicators") // Create new Watchlist and add your custom indicators(Optional)
| extend
Indicators = tostring(WatchlistItem["Indicators"])
| project Indicators
| where isnotempty(Indicators));
let CombinedLFIList = union LFI_Indicators, CustomLocalFileInclusionIndicators;
let knownLFIIndicators=toscalar(CombinedLFIList
| where isnotempty(Indicators)
| summarize make_set(Indicators, 1000));
_Im_WebSession(starttime=ago(lookback), url_has_any=knownLFIIndicators, eventresult='Success')
| where isnotempty(Url)
| project Url, SrcIpAddr, SrcUsername, SrcHostname, TimeGenerated
| extend Decoded_url = url_decode(Url)
| where Decoded_url has_any (knownLFIIndicators)
| summarize
EventCount=count(),
EventStartTime=min(TimeGenerated),
EventEndTime=max(TimeGenerated)
by SrcIpAddr, SrcUsername, SrcHostname, Url, Decoded_url
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
| order by EventCount desc
relevantTechniques:
- T1190
- T1133
- T1059
name: Detect Local File Inclusion(LFI) in web requests (ASIM Web Session)
requiredDataConnectors: []
entityMappings:
- fieldMappings:
- identifier: Address
columnName: SrcIpAddr
entityType: IP
- fieldMappings:
- identifier: Url
columnName: Url
entityType: URL
- fieldMappings:
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
entityType: Account
- fieldMappings:
- identifier: HostName
columnName: SrcHostname
entityType: Host
triggerThreshold: 0
id: 7bb55d05-ef39-4a40-8079-0bc3c05e7881
tactics:
- InitialAccess
- Execution
version: 1.0.0
customDetails:
EventEndTime: EventEndTime
EventCount: EventCount
EventStartTime: EventStartTime
Decoded_url: Decoded_url
queryPeriod: 5m
alertDetailsOverride:
alertDisplayNameFormat: Potential Local File Inlcusion(LFI) performed by user '{{SrcUsername}}' from IP '{{SrcIpAddr}}'
alertDescriptionFormat: User requested for URL '{{Url}}' which contains LFI related keywords or indicators. It suggests an attempt to traverse directories and access files outside the intended directory structure
triggerOperator: gt
kind: Scheduled
tags:
- Schema: WebSession
SchemaVersion: 0.2.6
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/LocalFileInclusion-LFI.yaml
queryFrequency: 5m
severity: High
status: Available
description: |
'LFI vulnerabilities allow an attacker to read (and sometimes execute) files on the victim machine. This can be very dangerous because if the web server is misconfigured and running with high privileges, the attacker may gain access to sensitive information'
query: |
let lookback = 5m;
let LFI_Indicators = materialize(externaldata(Indicators: string)
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/LocalFileInclusionIndicators.csv"]
with(format="csv", ignoreFirstRecord=True));
let CustomLocalFileInclusionIndicators = (_ASIM_GetWatchlistRaw("Web_LocalFileInclusionIndicators") // Create new Watchlist and add your custom indicators(Optional)
| extend
Indicators = tostring(WatchlistItem["Indicators"])
| project Indicators
| where isnotempty(Indicators));
let CombinedLFIList = union LFI_Indicators, CustomLocalFileInclusionIndicators;
let knownLFIIndicators=toscalar(CombinedLFIList
| where isnotempty(Indicators)
| summarize make_set(Indicators, 1000));
_Im_WebSession(starttime=ago(lookback), url_has_any=knownLFIIndicators, eventresult='Success')
| where isnotempty(Url)
| project Url, SrcIpAddr, SrcUsername, SrcHostname, TimeGenerated
| extend Decoded_url = url_decode(Url)
| where Decoded_url has_any (knownLFIIndicators)
| summarize
EventCount=count(),
EventStartTime=min(TimeGenerated),
EventEndTime=max(TimeGenerated)
by SrcIpAddr, SrcUsername, SrcHostname, Url, Decoded_url
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
| order by EventCount desc
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7bb55d05-ef39-4a40-8079-0bc3c05e7881')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7bb55d05-ef39-4a40-8079-0bc3c05e7881')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "User requested for URL '{{Url}}' which contains LFI related keywords or indicators. It suggests an attempt to traverse directories and access files outside the intended directory structure",
"alertDisplayNameFormat": "Potential Local File Inlcusion(LFI) performed by user '{{SrcUsername}}' from IP '{{SrcIpAddr}}'"
},
"alertRuleTemplateName": "7bb55d05-ef39-4a40-8079-0bc3c05e7881",
"customDetails": {
"Decoded_url": "Decoded_url",
"EventCount": "EventCount",
"EventEndTime": "EventEndTime",
"EventStartTime": "EventStartTime"
},
"description": "'LFI vulnerabilities allow an attacker to read (and sometimes execute) files on the victim machine. This can be very dangerous because if the web server is misconfigured and running with high privileges, the attacker may gain access to sensitive information'\n",
"displayName": "Detect Local File Inclusion(LFI) in web requests (ASIM Web Session)",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "Url",
"identifier": "Url"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "SrcHostname",
"identifier": "HostName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/LocalFileInclusion-LFI.yaml",
"query": "let lookback = 5m;\nlet LFI_Indicators = materialize(externaldata(Indicators: string)\n [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/LocalFileInclusionIndicators.csv\"] \n with(format=\"csv\", ignoreFirstRecord=True));\nlet CustomLocalFileInclusionIndicators = (_ASIM_GetWatchlistRaw(\"Web_LocalFileInclusionIndicators\") // Create new Watchlist and add your custom indicators(Optional)\n | extend\n Indicators = tostring(WatchlistItem[\"Indicators\"])\n | project Indicators\n | where isnotempty(Indicators));\nlet CombinedLFIList = union LFI_Indicators, CustomLocalFileInclusionIndicators;\nlet knownLFIIndicators=toscalar(CombinedLFIList\n | where isnotempty(Indicators)\n | summarize make_set(Indicators, 1000));\n_Im_WebSession(starttime=ago(lookback), url_has_any=knownLFIIndicators, eventresult='Success')\n| where isnotempty(Url)\n| project Url, SrcIpAddr, SrcUsername, SrcHostname, TimeGenerated\n| extend Decoded_url = url_decode(Url)\n| where Decoded_url has_any (knownLFIIndicators)\n| summarize\n EventCount=count(),\n EventStartTime=min(TimeGenerated),\n EventEndTime=max(TimeGenerated)\n by SrcIpAddr, SrcUsername, SrcHostname, Url, Decoded_url\n| extend\n Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),\n UPNSuffix = iif(SrcUsername contains \"@\", tostring(split(SrcUsername, '@', 1)[0]), \"\")\n| order by EventCount desc\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Execution",
"InitialAccess"
],
"tags": [
{
"Schema": "WebSession",
"SchemaVersion": "0.2.6"
}
],
"techniques": [
"T1059",
"T1133",
"T1190"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}