Detection rules › Splunk
Kubernetes Nginx Ingress LFI
The following analytic detects local file inclusion (LFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs, parsing fields such as request and status to identify suspicious patterns indicative of LFI attempts. This activity is significant because LFI attacks can allow attackers to read sensitive files from the server, potentially exposing critical information. If confirmed malicious, this could lead to unauthorized access to sensitive data, further exploitation, and potential compromise of the Kubernetes environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1212 Exploitation for Credential Access |
Rule body splunk
name: Kubernetes Nginx Ingress LFI
id: 0f83244b-425b-4528-83db-7a88c5f66e48
version: 11
creation_date: '2021-08-23'
modification_date: '2026-05-13'
author: Patrick Bareiss, Splunk
status: production
type: TTP
description: The following analytic detects local file inclusion (LFI) attacks targeting Kubernetes Nginx ingress controllers. It leverages Kubernetes logs, parsing fields such as `request` and `status` to identify suspicious patterns indicative of LFI attempts. This activity is significant because LFI attacks can allow attackers to read sensitive files from the server, potentially exposing critical information. If confirmed malicious, this could lead to unauthorized access to sensitive data, further exploitation, and potential compromise of the Kubernetes environment.
data_source: []
search: '`kubernetes_container_controller` | rex field=_raw "^(?<remote_addr>\S+)\s+-\s+-\s+\[(?<time_local>[^\]]*)\]\s\"(?<request>[^\"]*)\"\s(?<status>\S*)\s(?<body_bytes_sent>\S*)\s\"(?<http_referer>[^\"]*)\"\s\"(?<http_user_agent>[^\"]*)\"\s(?<request_length>\S*)\s(?<request_time>\S*)\s\[(?<proxy_upstream_name>[^\]]*)\]\s\[(?<proxy_alternative_upstream_name>[^\]]*)\]\s(?<upstream_addr>\S*)\s(?<upstream_response_length>\S*)\s(?<upstream_response_time>\S*)\s(?<upstream_status>\S*)\s(?<req_id>\S*)" | rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy | rex field=request "^(?<http_method>\S+)\s(?<url>\S+)\s" | eval phase="operate" | eval severity="high" | stats count min(_time) as firstTime max(_time) as lastTime by src_ip, status, url, http_method, host, http_user_agent, proxy, phase, severity, request | lookup local_file_inclusion_paths local_file_inclusion_paths AS request OUTPUT lfi_path | search lfi_path=yes | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kubernetes_nginx_ingress_lfi_filter`'
how_to_implement: You must ingest Kubernetes logs through Splunk Connect for Kubernetes.
known_false_positives: No false positives have been identified at this time.
references:
- https://github.com/splunk/splunk-connect-for-kubernetes
- https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/
drilldown_searches:
- name: View the detection results for - "$host$"
search: '%original_detection_search% | search host = "$host$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$host$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
finding:
title: Local File Inclusion Attack detected on $host$
entity:
field: host
type: system
score: 50
threat_objects:
- field: src_ip
type: ip_address
analytic_story:
- Dev Sec Ops
asset_type: Kubernetes
mitre_attack_id:
- T1212
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: cloud
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.log
sourcetype: kube:container:controller
source: kubernetes
test_type: unit
Stages and Predicates
Stage 1: search
`kubernetes_container_controller`
Stage 2: eval
| rex field=_raw "^(?<remote_addr>\S+)\s+-\s+-\s+\[(?<time_local>[^\]]*)\]\s\"(?<request>[^\"]*)\"\s(?<status>\S*)\s(?<body_bytes_sent>\S*)\s\"(?<http_referer>[^\"]*)\"\s\"(?<http_user_agent>[^\"]*)\"\s(?<request_length>\S*)\s(?<request_time>\S*)\s\[(?<proxy_upstream_name>[^\]]*)\]\s\[(?<proxy_alternative_upstream_name>[^\]]*)\]\s(?<upstream_addr>\S*)\s(?<upstream_response_length>\S*)\s(?<upstream_response_time>\S*)\s(?<upstream_status>\S*)\s(?<req_id>\S*)"
Stage 3: rename
| rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy
Stage 4: rex
| rex field=request "^(?<http_method>\S+)\s(?<url>\S+)\s"
Stage 5: eval
| eval phase="operate"
Stage 6: eval
| eval severity="high"
Stage 7: stats
| stats count min(_time) as firstTime max(_time) as lastTime by src_ip, status, url, http_method, host, http_user_agent, proxy, phase, severity, request
Stage 8: lookup
| lookup local_file_inclusion_paths local_file_inclusion_paths AS request OUTPUT lfi_path
Stage 9: search
| search lfi_path=yes
Stage 10: search
| `security_content_ctime(firstTime)`
Stage 11: search
| `security_content_ctime(lastTime)`
Stage 12: search
| `kubernetes_nginx_ingress_lfi_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
lfi_path | eq |
|
sourcetype | eq |
|