Detect Local File InclusionLFI in web requests ASIM Web Session

Back


Id	7bb55d05-ef39-4a40-8079-0bc3c05e7881
Rulename	Detect Local File Inclusion(LFI) in web requests (ASIM Web Session)
Description	LFI vulnerabilities allow an attacker to read (and sometimes execute) files on the victim machine. This can be very dangerous because if the web server is misconfigured and running with high privileges, the attacker may gain access to sensitive information
Severity	High
Tactics	InitialAccess Execution
Techniques	T1190 T1133 T1059
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/LocalFileInclusion-LFI.yaml
Version	1.0.0
Arm template	7bb55d05-ef39-4a40-8079-0bc3c05e7881.json

KQL

let lookback = 5m;
let LFI_Indicators = materialize(externaldata(Indicators: string)
    [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/LocalFileInclusionIndicators.csv"] 
    with(format="csv", ignoreFirstRecord=True));
let CustomLocalFileInclusionIndicators = (_ASIM_GetWatchlistRaw("Web_LocalFileInclusionIndicators") // Create new Watchlist and add your custom indicators(Optional)
    | extend
        Indicators = tostring(WatchlistItem["Indicators"])
    | project Indicators
    | where isnotempty(Indicators));
let CombinedLFIList = union LFI_Indicators, CustomLocalFileInclusionIndicators;
let knownLFIIndicators=toscalar(CombinedLFIList
    | where isnotempty(Indicators)
    | summarize make_set(Indicators, 1000));
_Im_WebSession(starttime=ago(lookback), url_has_any=knownLFIIndicators, eventresult='Success')
| where isnotempty(Url)
| project Url, SrcIpAddr, SrcUsername, SrcHostname, TimeGenerated
| extend Decoded_url = url_decode(Url)
| where Decoded_url has_any (knownLFIIndicators)
| summarize
    EventCount=count(),
    EventStartTime=min(TimeGenerated),
    EventEndTime=max(TimeGenerated)
    by SrcIpAddr, SrcUsername, SrcHostname, Url, Decoded_url
| extend
    Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
    UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
| order by EventCount desc

YAML

name: Detect Local File Inclusion(LFI) in web requests (ASIM Web Session)
relevantTechniques:
- T1190
- T1133
- T1059
id: 7bb55d05-ef39-4a40-8079-0bc3c05e7881
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/LocalFileInclusion-LFI.yaml
requiredDataConnectors: []
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.0
severity: High
triggerThreshold: 0
tags:
- SchemaVersion: 0.2.6
  Schema: WebSession
queryPeriod: 5m
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
  entityType: IP
- fieldMappings:
  - identifier: Url
    columnName: Url
  entityType: URL
- fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: HostName
    columnName: SrcHostname
  entityType: Host
kind: Scheduled
alertDetailsOverride:
  alertDisplayNameFormat: Potential Local File Inlcusion(LFI) performed by user '{{SrcUsername}}' from IP '{{SrcIpAddr}}'
  alertDescriptionFormat: User requested for URL '{{Url}}' which contains LFI related keywords or indicators. It suggests an attempt to traverse directories and access files outside the intended directory structure
queryFrequency: 5m
status: Available
query: |
  let lookback = 5m;
  let LFI_Indicators = materialize(externaldata(Indicators: string)
      [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/LocalFileInclusionIndicators.csv"] 
      with(format="csv", ignoreFirstRecord=True));
  let CustomLocalFileInclusionIndicators = (_ASIM_GetWatchlistRaw("Web_LocalFileInclusionIndicators") // Create new Watchlist and add your custom indicators(Optional)
      | extend
          Indicators = tostring(WatchlistItem["Indicators"])
      | project Indicators
      | where isnotempty(Indicators));
  let CombinedLFIList = union LFI_Indicators, CustomLocalFileInclusionIndicators;
  let knownLFIIndicators=toscalar(CombinedLFIList
      | where isnotempty(Indicators)
      | summarize make_set(Indicators, 1000));
  _Im_WebSession(starttime=ago(lookback), url_has_any=knownLFIIndicators, eventresult='Success')
  | where isnotempty(Url)
  | project Url, SrcIpAddr, SrcUsername, SrcHostname, TimeGenerated
  | extend Decoded_url = url_decode(Url)
  | where Decoded_url has_any (knownLFIIndicators)
  | summarize
      EventCount=count(),
      EventStartTime=min(TimeGenerated),
      EventEndTime=max(TimeGenerated)
      by SrcIpAddr, SrcUsername, SrcHostname, Url, Decoded_url
  | extend
      Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
      UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
  | order by EventCount desc  
tactics:
- InitialAccess
- Execution
customDetails:
  EventCount: EventCount
  EventStartTime: EventStartTime
  EventEndTime: EventEndTime
  Decoded_url: Decoded_url
description: |
    'LFI vulnerabilities allow an attacker to read (and sometimes execute) files on the victim machine. This can be very dangerous because if the web server is misconfigured and running with high privileges, the attacker may gain access to sensitive information'
triggerOperator: gt

ARM