Techniques
Sample rules
HTTP Rapid POST with Mixed Status Codes
- source: splunk
- technicques:
- T1071.001
- T1190
- T1595
Description
This detection identifies rapid-fire POST request attacks where an attacker sends more than 20 POST requests within a 5-second window, potentially attempting to exploit race conditions or overwhelm request handling. The pattern is particularly suspicious when responses vary in size or status codes, indicating successful exploitation attempts or probing for vulnerable endpoints.
Detection logic
`nginx_access_logs` http_method="POST"
| bin _time span=5s
| rename dest_ip as dest
| stats count, values(status) as status_codes, values(bytes_out) as bytes_out, values(uri_path) as uris by _time, src_ip, dest, http_user_agent
| where count>20
| table _time, dest, src_ip, count, status_codes, bytes_out, http_user_agent
| `http_rapid_post_with_mixed_status_codes_filter`
HTTP Suspicious Tool User Agent
- source: splunk
- technicques:
- T1071.001
Description
This Splunk query analyzes web access logs to identify and categorize non-browser user agents, detecting various types of security tools, scripting languages, automation frameworks, and suspicious patterns. This activity can signify malicious actors attempting to interact with web endpoints in non-standard ways.
Detection logic
`nginx_access_logs`
| eval http_user_agent = lower(http_user_agent)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Web)`
| lookup scripting_tools_user_agents tool_user_agent AS http_user_agent OUTPUT tool
| where isnotnull(tool)
| rename dest_ip as dest
| stats count min(firstTime) as first_seen max(lastTime) as last_seen values(tool) as tool by http_user_agent dest src_ip status
| `http_suspicious_tool_user_agent_filter`