title: Path Traversal Exploitation Attempts
id: 7745c2ea-24a5-4290-b680-04359cb84b35
author: Subhash Popuri (@pbssubhash), Florian Roth (generalisation)
date: 2021/09/25
status: experimental
description: Detects path traversal exploitation attempts
references:
  - https://github.com/projectdiscovery/nuclei-templates
logsource:
  category: webserver
detection:
  selection:
    c-uri|contains:
      - '../../../../../etc/passwd'
      - '../../../../windows/'
      - '../../../../../lib/password'
  condition: selection
falsepositives:
  - Happens all the time on systems exposed to the Internet
  - Internal vulnerability scanners
tags:
  - attack.initial_access
  - attack.t1190
level: medium