IIS: Indicators of XSS and SQLi attacks

The following query show IoC for XSS and SQLi. The complete query is wrapped up since this site is not accepting it. The query should also include “OR javascript”, followed by “:alert”.

index=* sourcetype="ms:iis:default" NOT ("cookie.js" OR "script.js" OR "cookie-min.js" OR "RESET-COOKIE" OR "form.user-info-from-cookie") AND (“&#” OR "script>" OR "script%3E" OR "`" OR "cookie" OR alert\( OR "</" OR "@@" OR "%40%40" OR "<scr" OR "%3Cscr" OR "<" OR "%3C%2F" OR "..%2F" OR ".." OR "%2E%2E") uri_query!="-" uri_query!="utm_*"| table _time, clientip, status, uri_query | sort by _time desc
Share This:
Tagged:

Comments

Leave A Comment?