Detection: OS File Access
Overview
Detect when a web server received requests attempting to access common operating system files. This detection focuses on identifying attempts to access sensitive system files that should never be accessible through a web application, which may indicate Local File Inclusion (LFI) vulnerabilities or other file disclosure attacks.
Attackers target operating system files including Unix/Linux system files (such as /etc/passwd, /etc/shadow, /etc/hosts, /etc/issue, /proc/self/, /proc/version, /var/log/), Windows system files (such as win.ini, system32, boot.ini, windows/system.ini, autoexec.bat, config.sys), and common web server configuration files (such as /usr/local/apache, /usr/local/etc/httpd, /var/www/, /var/apache).
Successful exploitation can lead to disclosure of sensitive system information, including usernames, system configuration, and potentially even password hashes. Attackers use this information for reconnaissance and to plan further attacks. When this detection triggers, security teams should verify if the access attempt was successful (checking for 200 OK responses rather than 404 errors), analyze which system files were targeted, implement proper web server configuration to block access to system directories, configure web application firewalls to block common LFI patterns, validate and sanitize all file path inputs in the application, and review the application for file inclusion vulnerabilities. Some legitimate scenarios that may trigger this detection include system administration tools operating through web interfaces, monitoring and logging applications that need access to system files, and authorized system information display pages.
References:
Usage
Run the detection in your terminal:
powerpipe detection run apache_access_log_detections.detection.os_file_accessSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run apache_access_log_detections.detection.os_file_access --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,request_method as operation,request_uri as resource,status,http_user_agent as actor,tp_source_ip as source_ip,tp_id as source_id,-- Create new aliases to preserve original row datastatus as status_src,timestamp as timestamp_src,*exclude (status, timestamp)
from apache_access_logwhere request_uri is not null and ( -- Unix/Linux sensitive files request_uri ilike '%/etc/passwd%' or request_uri ilike '%/etc/shadow%' or request_uri ilike '%/etc/hosts%' or request_uri ilike '%/etc/fstab%' or request_uri ilike '%/etc/issue%' or request_uri ilike '%/etc/profile%' or request_uri ilike '%/etc/ssh%' or request_uri ilike '%/proc/version%' or request_uri ilike '%/proc/self%' or request_uri ilike '%/proc/cpuinfo%' or request_uri ilike '%/var/log/auth.log%' or request_uri ilike '%/var/log/secure%' -- Windows sensitive files or request_uri ilike '%c:\\windows\\win.ini%' or request_uri ilike '%c:\\boot.ini%' or request_uri ilike '%c:\\windows\\system32\\config%' or request_uri ilike '%c:\\windows\\repair%' or request_uri ilike '%c:\\windows\\debug\\netsetup.log%' or request_uri ilike '%c:\\windows\\iis%log%' or request_uri ilike '%c:\\sysprep.inf%' or request_uri ilike '%c:\\sysprep\\sysprep.xml%' -- Web server files or request_uri ilike '%/var/log/apache%' or request_uri ilike '%/var/log/httpd%' or request_uri ilike '%/usr/local/apache%' or request_uri ilike '%/usr/local/nginx%' or request_uri ilike '%/var/log/nginx%' )order by tp_timestamp desc;