High Level Overview:
A directory traversal attack (also called path traversal) is a type of web attack where an attacker tries to access files and directories that should be restricted. This is done by manipulating URL paths using ../ (dot-dot-slash) sequences to "climb up" the directory structure. For example, a vulnerable website might allow an attacker to request:
If the site is not properly secured, this could expose sensitive files like passwords, configuration files, or source code. Attackers use this technique to steal data, modify files, or gain further access to a system. Proper input validation and access controls can help prevent these attacks.
Therefore, it is crucial for SOC Teams to discover this before a successful breach happens.
Quick Deploy:
Note-
This analytic rule depends on a watchlist, download the following file and upload it to Sentinel -> Watchlist with the following properties or else the Quick Deploy will fail.
Description:
There are two queries here- one is to detect failed attempts and successful attempts but following is a consolidated description.
This use case aims to detect potential directory traversal attacks in web server logs by identifying suspicious HTTP requests that attempt to access restricted files or directories (e.g., ../../../../etc/passwd).
The detection logic focuses on logs from Apache, and other security-relevant sources, analyzing HTTP methods, request paths, and status codes.
It flags unusual spikes in traversal attempts and categorizes them based on client and server error responses along with Redirection and Success codes (2xx, 3xx, 4xx and 5xx).
By leveraging Syslog data and a watchlist of HTTP status codes, this use case provides robust visibility into potential web application exploitation attempts.
Framework:
MITRE ATT&CKTM
Tactic:
Discovery
TA0007
Reference https://attack.mitre.org/tactics/TA0007/
Technique:
File and Directory Discovery
T1083
Rule type: KQL
Rule indices:
Rule Id: b169c852-bf0f-45dc-8c00-a75e38deea52, 5eea1ac4-6943-4241-a7bc-f9ef02e02bde
Rule Names: Potential Directory Traversal Attack Detected, Successful Directory Traversal Attack Detected
Severity: Medium, High
Runs every: 30m/30m
Trigger an alert for each event: No
References: None
Domain: Linux WebServer
OS Tested On: Ubuntu 22.04
Event ID: NA
Use Case: Vulnerability Detection
Tactic: Discovery
Version: 1.10
Rule authors: Aniket
Pre-Requisites
This rule requires data coming in from Azure Monitor Agent using a data collection rule within Microsoft Sentinel.
Syslog via AMA data connector.
Watchlist to map HTTP Status Codes with Category and Description. Please refer to the Quick Deploy Section.
Microsoft Sentinel Workspace and enough RBAC permissions!
Overview
The other day at work, I was just sipping on my coffee and going through the usual routine of sifting through logs and I noticed quite a couple of Syslog messages where /etc/passwd and /etc/shadow were involved. Upon closer inspection, I noticed that these are directory traversal attacks and I sat down and decided to create two analytic rules ie. one for failed attempts and another for successful attempt.
For the test environment, I ingested a few sample logs in order to get the incident triggered.
Following is a sample of Syslog Messages where the regex has been tested, incase if it does not work in your case due to single quotes instead of double quotes, then you can modify the pattern accordingly. Failed Attempt
172.0.0.1 - - [11/Feb/2025:09:32:48 +0530] "GET /cgi-bin/auktion.cgi?menue=../../../../../../../../../etc/passwd HTTP/1.1" 404 58 "-" "Mozilla/4.0 (compatible MSIE 8.0 Windows NT 5.1 Trident/4.0)"
Successful Attempt
172.0.0.1 - - [10/Feb/2025:19:57:52 +0530] "GET /index.php?template\=../../../loudblog/custom/config.php%00 HTTP/1.1" 200 18 "-" "Mozilla/4.0 (compatible MSIE 8.0 Windows NT 5.1 Trident/4.0)"
Incident Evidence
Successful Directory Traversal Detected
Potential Directory Traversal Attack Detected
Successful Directory Traversal Detected Query
let HTTPStatusCodes = _GetWatchlist("HTTPStatusCodes");
Syslog
| where ProcessName == 'apache_access_log' or SyslogMessage contains "Web Server - Apache"
| where SyslogMessage matches regex @"(GET|POST|PUT|DELETE|HEAD|OPTIONS)\s.*/(\.\./)+"
| extend client_ip = extract(@"^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})", 1, SyslogMessage)
| extend client_ip = case(isempty(client_ip), Computer, client_ip)
| extend http_method = extract(@'"(GET|POST|PUT|DELETE|HEAD|OPTIONS)', 1, SyslogMessage)
| where isnotempty(http_method)
| extend uri_path = extract(@"(GET|POST|PUT|DELETE|HEAD|OPTIONS)\s([^\s]+)", 2, SyslogMessage)
| extend http_status = extract(@'\s(\d{3})\s\d+\s"-"', 1, SyslogMessage)
| lookup HTTPStatusCodes on $left.http_status == $right.SearchKey
| where Category == 'Success'
| extend user_agent = extract(@'"[^"]+"\s"([^"]+)"$', 1, SyslogMessage)
| project client_ip, http_method, uri_path, http_status, Category, Description, user_agent, SyslogMessageQuery Breakdown:
Loads a watchlist (HTTPStatusCodes) to categorize HTTP status codes.
Filters logs from Apache (apache_access_log) or related web server messages.
Identifies directory traversal patterns using a regex match on requests containing ../.
Extracts key details:
Client IP (client_ip)
HTTP method (GET, POST, etc.)
Request path (uri_path)
HTTP status code (http_status)
User agent (browser info)
Joins with HTTP status watchlist to categorize the response using lookup operator as join can be inefficient and only outputs rows that exactly match otherwise drops them.
Filters for successful responses (2xx category) → Meaning the attack may have worked.
Outputs key fields for investigation.
Entity Mapping:
Potential Directory Traversal Attack Detected Query
let HTTPStatusCodes = _GetWatchlist("HTTPStatusCodes");
Syslog
| where ProcessName == 'apache_access_log' or SyslogMessage contains "Web Server - Apache"
| where SyslogMessage matches regex @"(GET|POST|PUT|DELETE|HEAD|OPTIONS)\s.*/(\.\./)+"
| extend client_ip = extract(@"^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})", 1, SyslogMessage)
| extend client_ip = case(isempty(client_ip), Computer, client_ip)
| extend http_method = extract(@'"(GET|POST|PUT|DELETE|HEAD|OPTIONS)', 1, SyslogMessage)
| where isnotempty(http_method)
| extend uri_path = extract(@"(GET|POST|PUT|DELETE|HEAD|OPTIONS)\s([^\s]+)", 2, SyslogMessage)
| extend http_status = extract(@'"\s(\d{3})\s\d+', 1, SyslogMessage)
| lookup HTTPStatusCodes on $left.http_status == $right.SearchKey
| where Category != 'Success'
| extend user_agent = extract(@'"[^"]+"\s"([^"]+)"$', 1, SyslogMessage)
//| project client_ip, uri_path, http_status, http_method, Catgeory, Description, SyslogMessage
//Please uncomment and run query until above line to get the raw logs
| summarize DirectoryCount=count(), URIArray = make_set(uri_path,100), HTTPStatus = make_set(http_status), HTTPMethod = make_set(http_method) by client_ip
| project client_ip, DirectoryCount, URIArray, HTTPStatus, HTTPMethodQuery Breakdown:
Loads a watchlist (HTTPStatusCodes) to categorize HTTP status codes.
Filters logs from Apache (apache_access_log) or related web server messages.
Identifies directory traversal patterns using a regex match on requests containing ../.
Extracts key details:
Client IP (client_ip)
HTTP method (GET, POST, etc.)
Request path (uri_path)
HTTP status code (http_status)
User agent (browser info)
Joins with HTTP status watchlist to categorize the response using lookup operator as join can be inefficient and only outputs rows that exactly match otherwise drops them.
Filters for failed server, client and redirection responses (3xx,4xx,5xx category) → Meaning the attack is in progress.
Outputs key fields for investigation.
Entity Mapping:
ARM Template
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5eea1ac4-6943-4241-a7bc-f9ef02e02bde')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5eea1ac4-6943-4241-a7bc-f9ef02e02bde')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2023-12-01-preview",
"properties": {
"displayName": "Successful Directory Traversal Attack Detected",
"description": "This use case aims to detect successful directory traversal attacks in web server logs by identifying suspicious HTTP requests that have successfully managed to breach and access restricted files or directories (e.g., ../../../../etc/passwd). \n\nThe detection logic focuses on logs from Apache, and other security-relevant sources, analyzing HTTP methods, request paths, and status codes. It flags traversal attempts and categorizes them based on successful responses (2xx).\n\nBy leveraging Syslog data and a watchlist of HTTP status codes, this use case provides robust visibility into potential web application exploitation attempts.\n\n",
"severity": "High",
"enabled": true,
"query": "let HTTPStatusCodes = _GetWatchlist(\"HTTPStatusCodes\");\r\nSyslog\r\n| where ProcessName == 'apache_access_log' or SyslogMessage contains \"Web Server - Apache\"\r\n| where SyslogMessage matches regex @\"(GET|POST|PUT|DELETE|HEAD|OPTIONS)\\s.*/(\\.\\./)+\" // Detect multiple traversal attempts\r\n| extend client_ip = extract(@\"^(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)\r\n| extend client_ip = case(isempty(client_ip), Computer, client_ip)\r\n| extend http_method = extract(@'\"(GET|POST|PUT|DELETE|HEAD|OPTIONS)', 1, SyslogMessage)\r\n| where isnotempty(http_method)\r\n| extend uri_path = extract(@\"(GET|POST|PUT|DELETE|HEAD|OPTIONS)\\s([^\\s]+)\", 2, SyslogMessage)\r\n| extend http_status = extract(@'\\s(\\d{3})\\s\\d+\\s\"-\"', 1, SyslogMessage)\r\n| lookup HTTPStatusCodes on $left.http_status == $right.SearchKey\r\n| where Category == 'Success'\r\n| extend user_agent = extract(@'\"[^\"]+\"\\s\"([^\"]+)\"$', 1, SyslogMessage)\r\n| project client_ip, http_method, uri_path, http_status, Category, Description, user_agent, SyslogMessage",
"queryFrequency": "PT30M",
"queryPeriod": "PT30M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"startTimeUtc": null,
"tactics": [
"Discovery"
],
"techniques": [
"T1083"
],
"subTechniques": [],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT30M",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": null,
"customDetails": {
"Path": "uri_path"
},
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "client_ip"
}
]
}
],
"sentinelEntitiesMappings": null,
"templateVersion": null
}
},
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b169c852-bf0f-45dc-8c00-a75e38deea52')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b169c852-bf0f-45dc-8c00-a75e38deea52')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2023-12-01-preview",
"properties": {
"displayName": "Potential Directory Traversal Attack Detected",
"description": "This use case aims to detect potential directory traversal attacks in web server logs by identifying suspicious HTTP requests that attempt to access restricted files or directories (e.g., ../../../../etc/passwd). \n\nThe detection logic focuses on logs from Apache, and other security-relevant sources, analyzing HTTP methods, request paths, and status codes. \n\nIt flags unusual spikes in traversal attempts and categorizes them based on client and server error responses along with Redirection (3xx, 4xx and 5xx). \n\nBy leveraging Syslog data and a watchlist of HTTP status codes, this use case provides robust visibility into potential web application exploitation attempts.\n\n",
"severity": "Medium",
"enabled": true,
"query": "let HTTPStatusCodes = _GetWatchlist(\"HTTPStatusCodes\");\r\nSyslog\r\n| where ProcessName == 'apache_access_log' or SyslogMessage contains \"Web Server - Apache\"\r\n| where SyslogMessage matches regex @\"(GET|POST|PUT|DELETE|HEAD|OPTIONS)\\s.*/(\\.\\./)+\"\r\n| extend client_ip = extract(@\"^(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)\r\n| extend client_ip = case(isempty(client_ip), Computer, client_ip)\r\n| extend http_method = extract(@'\"(GET|POST|PUT|DELETE|HEAD|OPTIONS)', 1, SyslogMessage)\r\n| where isnotempty(http_method)\r\n| extend uri_path = extract(@\"(GET|POST|PUT|DELETE|HEAD|OPTIONS)\\s([^\\s]+)\", 2, SyslogMessage)\r\n| extend http_status = extract(@'\"\\s(\\d{3})\\s\\d+', 1, SyslogMessage)\r\n| lookup HTTPStatusCodes on $left.http_status == $right.SearchKey\r\n| where Category != 'Success'\r\n| extend user_agent = extract(@'\"[^\"]+\"\\s\"([^\"]+)\"$', 1, SyslogMessage)\r\n//| project client_ip, uri_path, http_status, http_method, Catgeory, Description, SyslogMessage\r\n//Please uncomment and run query until above line to get the raw logs\r\n| summarize DirectoryCount=count(), URIArray = make_set(uri_path,100), HTTPStatus = make_set(http_status), HTTPMethod = make_set(http_method) by client_ip\r\n| project client_ip, DirectoryCount, URIArray, HTTPStatus, HTTPMethod",
"queryFrequency": "PT30M",
"queryPeriod": "PT30M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"startTimeUtc": null,
"tactics": [
"Discovery"
],
"techniques": [
"T1083"
],
"subTechniques": [],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": null,
"customDetails": {
"PathArray": "URIArray",
"DirectoryCount": "DirectoryCount",
"HTTPStatusCode": "HTTPStatus",
"HTTPMethod": "HTTPMethod"
},
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "client_ip"
}
]
}
],
"sentinelEntitiesMappings": null,
"templateVersion": null
}
}
]
}
Conclusion
Detecting and mitigating directory traversal attacks and anomalous web requests is essential for securing web applications against unauthorized access and exploitation. By leveraging analytics in Microsoft Sentinel, security teams can effectively monitor Syslog data, analyze HTTP request patterns, and detect suspicious activities such as unauthorized file access attempts and sudden spikes in error responses.
Continuous monitoring, proper log parsing, and refining detection logic based on evolving attack techniques will ensure a more robust defense against web-based threats.
Comments