Elastic Security Detection Rules

Initial Access via File Upload Followed by GET Request

Last updated 8 days ago on 2025-11-27
Created 8 days ago on 2025-11-27

About

This rule detects potential initial access activity where an adversary uploads a web shell or malicious script to a web server via a file upload mechanism (e.g., through a web form using multipart/form-data), followed by a GET or POST request to access the uploaded file. By checking the body content of HTTP requests for file upload indicators such as "Content-Disposition: form-data" and "filename=", the rule identifies suspicious upload activities. This sequence of actions is commonly used by attackers to gain and maintain access to compromised web servers.
Tags
Domain: EndpointDomain: WebDomain: NetworkOS: LinuxOS: WindowsOS: macOSUse Case: Threat DetectionTactic: Initial AccessTactic: PersistenceData Source: Elastic DefendData Source: Network TrafficLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Initial Access (TA0001)(opens in a new tab or window)

Exploit Public-Facing Application (T1190)(opens in a new tab or window)

Persistence (TA0003)(opens in a new tab or window)

Server Software Component (T1505)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.*logs-network_traffic.*
Related Integrations

endpoint(opens in a new tab or window)

network_traffic(opens in a new tab or window)

Query
sequence by agent.id with maxspan=5m
  [network where
   data_stream.dataset == "network_traffic.http" and
   http.request.method in ("POST", "PUT") and
   /* We can restrict to 200 in the future, but I prefer to broaden the scope and decrease it later if necessary */
   http.response.status_code in (200, 201, 204, 301, 302, 303, 409) and
   /* These should detect most common file upload activities, adhering to browser standards */
   http.request.body.content like "*Content-Disposition: form-data*" and
   http.request.body.content like "*filename=*"
   /* May add a lower/upper boundary limit to reduce FPs in the future, e.g.
   and http.request.body.bytes >= 500
   */
  ]
  [file where
   event.dataset == "endpoint.events.file" and
   event.action in ("creation", "rename") and
   file.extension in ("php", "phtml", "pht", "php5", "asp", "aspx", "jsp", "jspx", "war", "cgi")
   /* We can add file.path values here in the future, if telemetry is noisy */
  ]
  [network where
   data_stream.dataset == "network_traffic.http" and
   http.request.method in ("GET", "POST") and
   /* we may restrict to 200, but keeping it broader right now */
   http.response.status_code >= 200 and http.response.status_code < 600 and
   url.extension in ("php", "phtml", "pht", "php5", "asp", "aspx", "jsp", "jspx", "war", "cgi")
  ]

Install detection rules in Elastic Security

Detect Initial Access via File Upload Followed by GET Request in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).