1type: leaky
2name: crowdsecurity/http-wordpress-scan
3description: "Detect exploitation attempts against common WordPress endpoints"
4filter: |
5  evt.Meta.service == 'http' and
6  evt.Meta.log_type in ['http_access-log', 'http_error-log'] and
7  evt.Meta.http_status in ['404', '403'] and
8  Lower(evt.Parsed.request) matches "(?i)(/wp-.*\\.php|/wp-content/plugins/.*\\.(txt|md))$"
9groupby: evt.Meta.source_ip
10distinct: evt.Parsed.request
11capacity: 3
12leakspeed: "10s"
13blackhole: 5m
14labels:
15  remediation: true
16  classification:
17    - attack.T1595
18  behavior: "http:scan"
19  label: "WordPress Vuln Hunting"
20  spoofable: 0
21  service: wordpress
22  confidence: 3
23