LEGACY-S00028.md

Rules: Directory Traversal - Successful

Description

Directory traversal is an attempt by an attacker to access files located on the host which are not intended to be returned by the web server. For example, attackers seeking usernames/passwords for the host will focus on paths like ../../etc/passwd, ../../../etc/shadow, etc. When successful, a directory traversal attack results in the attacker gaining access to sensitive information and identifying a mechanism of future attack. When unsuccessful, directory traversal is an indication of ongoing external reconnaissance.

Additional Details

Detail	Value
Type	Match
Category	Initial Access
Apply Risk to Entities	device_ip, srcDevice_ip, dstDevice_ip, device_hostname, srcDevice_hostname, dstDevice_hostname
Signal Name	Directory Traversal - Successful
Summary Expression	Successful directory traversal detected from source IP: {{srcDevice_ip}}
Score/Severity	Static: 6
Enabled by Default	True
Prototype	False
Tags	_mitreAttackTactic:TA0001, _mitreAttackTactic:TA0007, _mitreAttackTactic:TA0009, _mitreAttackTechnique:T1083, _mitreAttackTechnique:T1213, _mitreAttackTechnique:T1213.001

Vendors and Products

• Amazon AWS - Application Load Balancer
• Amazon AWS - Elastic Load Balancer
• Bro - Bro
• Cloudflare - Logpush
• Microsoft - Azure
• Microsoft - IIS
• Sophos - UTM 9

Fields Used

Origin	Field
Normalized Schema	device_hostname
Normalized Schema	device_ip
Normalized Schema	dstDevice_hostname
Normalized Schema	dstDevice_ip
Normalized Schema	dstDevice_ip_isInternal
Normalized Schema	http_response_statusCode
Normalized Schema	http_url
Normalized Schema	listMatches
Normalized Schema	srcDevice_hostname
Normalized Schema	srcDevice_ip