1name: crowdsecurity/generic-wordpress-uploads-php
2description: "Detect php execution in wordpress uploads directory"
3rules:
4  - and:
5    - zones: 
6      - URI
7      transform:
8      - lowercase
9      - urldecode
10      match:
11        type: regex
12        value: '/wp-content/uploads/.*\.(h?ph(p|tm?l?|ar)|module|shtml)'
13
14labels:
15   type: exploit
16   service: http
17   confidence: 2
18   spoofable: 0
19   behavior: "http:exploit"
20   label: "Detect Wordpress PHP execution in uploads directory"
21   classification:
22     - attack.T1595
23     - attack.T1190