Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-apache-access-log-detections
Overview
4Dashboards
23Benchmarks
36Queries
1Variables
GitHub

Query: hidden_file_access

Usage

powerpipe query apache_access_log_detections.query.hidden_file_access

Tailpipe Tables

apache_access_log
Apache plugin

SQL

select
  tp_timestamp as timestamp,
request_method as operation,
request_uri as resource,
status,
http_user_agent as actor,
tp_source_ip as source_ip,
tp_id as source_id,
-- Create new aliases to preserve original row data
status as status_src,
timestamp as timestamp_src,
*
exclude (status, timestamp)


from
  apache_access_log
where
  request_uri is not null
  and (
    -- Common hidden files and directories
    request_uri ilike '%/.git/%'
    or request_uri ilike '%/.svn/%'
    or request_uri ilike '%/.DS_Store%'
    or request_uri ilike '%/.htpasswd%'
    or request_uri ilike '%/.npmrc%'
    or request_uri ilike '%/.env%'
    or request_uri ilike '%/.aws/%'
    or request_uri ilike '%/.ssh/%'
    or request_uri ilike '%/.bash_history%'
    or request_uri ilike '%/.htaccess%'
    or request_uri ilike '%/.htpasswd%'
    or request_uri ilike '%/.config/%'
    or request_uri ilike '%/.vscode/%'
    or request_uri ilike '%/.idea/%'
    -- Docker/Kubernetes files
    or request_uri ilike '%/docker-compose%'
    or request_uri ilike '%/Dockerfile%'
    or request_uri ilike '%/kubernetes/%'
    or request_uri ilike '%/kubeconfig%'
  )
order by
  tp_timestamp desc;

Detections

The query is being used by the following detections: