| ID | Technique | Tactic |
|---|---|---|
| T1071.001 | Web Protocols | Command And Control |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1595 | Active Scanning | Reconnaissance |
Detection: HTTP Rapid POST with Mixed Status Codes
Description
This detection identifies rapid-fire POST request attacks where an attacker sends more than 20 POST requests within a 5-second window, potentially attempting to exploit race conditions or overwhelm request handling. The pattern is particularly suspicious when responses vary in size or status codes, indicating successful exploitation attempts or probing for vulnerable endpoints.
Search
1`nginx_access_logs` http_method="POST"
2| bin _time span=5s
3| rename dest_ip as dest
4| stats count, values(status) as status_codes, values(bytes_out) as bytes_out, values(uri_path) as uris by _time, src_ip, dest, http_user_agent
5| where count>20
6| table _time, dest, src_ip, count, status_codes, bytes_out, http_user_agent
7| `http_rapid_post_with_mixed_status_codes_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Nginx Access | N/A | 'nginx:plus:kv' |
'/var/log/nginx/access.log' |
Macros Used
| Name | Value |
|---|---|
| nginx_access_logs | (sourcetype="nginx:plus:kv" OR sourcetype="nginx:plus:access") |
| http_rapid_post_with_mixed_status_codes_filter | search * |
http_rapid_post_with_mixed_status_codes_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Command and Control
Delivery
Reconnaissance
DE.AE
CIS 13
APT19
APT28
APT29
APT32
APT33
APT37
APT38
APT39
APT41
APT42
APT5
Agrius
Axiom
BITTER
BRONZE BUTLER
BackdoorDiplomacy
BlackByte
BlackTech
Blue Mockingbird
Chimera
Cinnamon Tempest
Cobalt Group
Confucius
Daggerfly
Dark Caracal
Dragonfly
Earth Lusca
Ember Bear
FIN13
FIN4
FIN7
FIN8
Fox Kitten
GALLIUM
GOLD SOUTHFIELD
Gamaredon Group
HAFNIUM
Higaisa
INC Ransom
Inception
Ke3chang
Kimsuky
Lazarus Group
Leviathan
LuminousMoth
Magic Hound
Medusa Group
Metador
Moonstone Sleet
Moses Staff
MuddyWater
Mustang Panda
OilRig
Orangeworm
Play
Rancor
RedCurl
RedEcho
Rocke
Salt Typhoon
Sandworm Team
Sea Turtle
Sidewinder
SilverTerrier
Stealth Falcon
Storm-0501
TA505
TA551
TeamTNT
Threat Group-3390
ToddyCat
Tropic Trooper
Turla
UNC3886
Volatile Cedar
Volt Typhoon
WIRTE
Windshift
Winter Vivern
Wizard Spider
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
This analytic necessitates the collection of web data, which can be achieved through Splunk Stream or by utilizing the Splunk Add-on for Apache Web Server. No additional configuration is required for this analytic.
Known False Positives
False positives may be present if the activity is part of diagnostics or testing. Filter as needed.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
A potential attempt to perform request smuggling against a web server was detected. The source IP is $src_ip$ and the destination is $dest$.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 40 | src_ip |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | nginx:plus:kv |
nginx:plus:kv |
| Integration | ✅ Passing | Dataset | nginx:plus:kv |
nginx:plus:kv |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1