Elastic Security Detection Rules

Web Server Potential Remote File Inclusion Activity

Last updated a day ago on 2025-12-08
Created 7 days ago on 2025-12-02

About

This rule detects potential Remote File Inclusion (RFI) activity on web servers by identifying HTTP GET requests that attempt to access sensitive remote files through directory traversal techniques or known file paths. Attackers may exploit RFI vulnerabilities to read sensitive files, gain system information, or further compromise the server.
Tags
Domain: WebUse Case: Threat DetectionTactic: DiscoveryTactic: Command and ControlData Source: NginxData Source: ApacheData Source: Apache TomcatData Source: IISLanguage: esql
Severity
low
Risk Score
21
MITRE ATT&CK™

Discovery (TA0007)(opens in a new tab or window)

File and Directory Discovery (T1083)(opens in a new tab or window)

Command and Control (TA0011)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

nginx(opens in a new tab or window)

apache(opens in a new tab or window)

apache_tomcat(opens in a new tab or window)

iis(opens in a new tab or window)

Query
from
  logs-nginx.access-*,
  logs-apache.access-*,
  logs-apache_tomcat.access-*,
  logs-iis.access-*
| where
    http.request.method == "GET" and
    http.response.status_code == 200 and
    url.original like "*=*"

| eval Esql.url_original_url_decoded_to_lower = to_lower(URL_DECODE(url.original))

| where
    Esql.url_original_url_decoded_to_lower like "*=http://*" or
    Esql.url_original_url_decoded_to_lower like "*=https://*" or
    Esql.url_original_url_decoded_to_lower like "*=ftp://*" or
    Esql.url_original_url_decoded_to_lower like "*=smb://*" or
    Esql.url_original_url_decoded_to_lower like "*=file://*" or
    Esql.url_original_url_decoded_to_lower rlike """.*=.*[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.*"""

| keep
    @timestamp,
    Esql.url_original_url_decoded_to_lower,
    source.ip,
    agent.id,
    host.name,
    http.request.method,
    http.response.status_code,
    event.dataset,
    data_stream.namespace

| stats
    Esql.event_count = count(),
    Esql.url_original_url_decoded_to_lower_count_distinct = count_distinct(Esql.url_original_url_decoded_to_lower),
    Esql.host_name_values = values(host.name),
    Esql.agent_id_values = values(agent.id),
    Esql.http_request_method_values = values(http.request.method),
    Esql.http_response_status_code_values = values(http.response.status_code),
    Esql.url_original_url_decoded_to_lower_values = values(Esql.url_original_url_decoded_to_lower),
    Esql.event_dataset_values = values(event.dataset),
    Esql.data_stream_namespace_values = values(data_stream.namespace)
    by source.ip

Install detection rules in Elastic Security

Detect Web Server Potential Remote File Inclusion Activity in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).