Detection: Restricted File Access
Overview
Detect requests that attempt to access restricted application files such as configuration files, source code, database files, and temporary or backup files. Such access attempts may indicate attackers trying to extract sensitive application data or internal logic.
Attackers target restricted files that may contain sensitive information such as configuration files (.conf, .config, .ini), backup or temporary files (.bak, .old, .backup, ~ files), source code files (especially those with extensions like .inc), database files (.db, .sqlite, .mdb), application metadata (.php~, .php.swp, etc.), and framework-specific directories (/WEB-INF/, /META-INF/). Accessing these files can reveal application credentials, database connection strings, API keys and secrets, business logic vulnerabilities, and internal application structure.
When this detection triggers, security teams should verify if the access attempt was successful by checking for 200 OK responses, analyze which files were targeted and what sensitive information they may contain, remove or relocate sensitive files from the web root directory, implement proper web server configuration to block access to restricted file types, configure version control systems to exclude sensitive files from deployment, add proper file extension handling in web server configuration, and consider implementing a Web Application Firewall (WAF) with file restriction rules. Some legitimate scenarios may trigger this detection, including development environments where debugging information is accessible, administrative interfaces that legitimately access configuration files, content management systems that handle various file types, and applications that generate and serve configuration files.
References:
Usage
Run the detection in your terminal:
powerpipe detection run apache_access_log_detections.detection.restricted_file_accessSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run apache_access_log_detections.detection.restricted_file_access --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,request_method as operation,request_uri as resource,status,http_user_agent as actor,tp_source_ip as source_ip,tp_id as source_id,-- Create new aliases to preserve original row datastatus as status_src,timestamp as timestamp_src,*exclude (status, timestamp)
from apache_access_logwhere request_uri is not null and ( -- Common application config files request_uri ilike '%/config.php%' or request_uri ilike '%/configuration.php%' or request_uri ilike '%/db.php%' or request_uri ilike '%/database.php%' or request_uri ilike '%/settings.php%' or request_uri ilike '%/conf.php%' or request_uri ilike '%/wp-config.php%' or request_uri ilike '%/config.xml%' or request_uri ilike '%/app.config%' or request_uri ilike '%/appsettings.json%' or request_uri ilike '%/config.yml%' or request_uri ilike '%/config.yaml%' or request_uri ilike '%/.env%' or request_uri ilike '%/.htaccess%' or request_uri ilike '%/.svn/%' or request_uri ilike '%/.git/%' -- Popular application source files or request_uri ilike '%/web.config%' or request_uri ilike '%/php.ini%' or request_uri ilike '%/.htpasswd%' or request_uri ilike '%.inc%' -- Temporary or backup files that may contain sensitive data or request_uri ilike '%~%' or request_uri ilike '%.bak%' or request_uri ilike '%.backup%' or request_uri ilike '%.old%' or request_uri ilike '%.orig%' or request_uri ilike '%.tmp%' or request_uri ilike '%.temp%' or request_uri ilike '%.swp%' )order by tp_timestamp desc;