Potential Cross Site Scripting (XSS)

Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. In XSS attacks, an attacker uses a benign web application to send malicious code, generally in the form of a browser-side script. This detection rule identifies the potential malicious executions of such browser-side scripts.

Rule type: eql

Rule indices:

apm--transaction
traces-apm*

Severity: low

Risk score: 21

Runs every: 60m

Searches indices from: now-119m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://github.com/payloadbox/xss-payload-list

Tags:

Data Source: APM
Use Case: Threat Detection
Tactic: Initial Access
Rule Type: BBR

Version: 2

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

any where processor.name == "transaction" and
url.fragment : ("<iframe*", "*prompt(*)*", "<script*>", "<svg*>", "*onerror=*", "*javascript*alert*", "*eval*(*)*", "*onclick=*",
"*alert(document.cookie)*", "*alert(document.domain)*","*onresize=*","*onload=*","*onmouseover=*")

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Drive-by Compromise
- ID: T1189
- Reference URL: https://attack.mitre.org/techniques/T1189/

« Potential Credential Access via Windows Utilities Potential DGA Activity »