Skip to content

Frontdoor - Default Rule Set 1.1

Generated: 22 February 2026 | Total Rules: 125

Microsoft_DefaultRuleSet 1.1

MS-ThreatIntel-WebShells - Web shell attacks

Rule ID Rule Group Description Action State CRS Source
99005002 MS-ThreatIntel-WebShells Web Shell Interaction Attempt (POST) Block Enabled
99005003 MS-ThreatIntel-WebShells Web Shell Upload Attempt (POST) - CHOPPER PHP Block Enabled
99005004 MS-ThreatIntel-WebShells Web Shell Upload Attempt (POST) - CHOPPER ASPX Block Enabled
99005006 MS-ThreatIntel-WebShells Spring4Shell Interaction Attempt Block Disabled

MS-ThreatIntel-AppSec - Path traversal evasion

Rule ID Rule Group Description Action State CRS Source
99030001 MS-ThreatIntel-AppSec Path Traversal Evasion in Headers (/.././../) Block Enabled
99030002 MS-ThreatIntel-AppSec Path Traversal Evasion in Request Body (/.././../) Block Enabled

MS-ThreatIntel-SQLI - SQL injection

Rule ID Rule Group Description Action State CRS Source
99031001 MS-ThreatIntel-SQLI SQL Injection Attack: Common Injection Testing Detected Block Enabled
99031002 MS-ThreatIntel-SQLI SQL Comment Sequence Detected. Block Enabled

MS-ThreatIntel-CVEs - Rest API exploitation

Rule ID Rule Group Description Action State CRS Source
99001001 MS-ThreatIntel-CVEs Attempted F5 tmui (CVE-2020-5902) REST API Exploitation with known credentials Block Enabled
99001014 MS-ThreatIntel-CVEs Attempted Spring Cloud routing-expression injection (CVE-2022-22963) Block Disabled
99001015 MS-ThreatIntel-CVEs Attempted Spring Framework unsafe class object exploitation (CVE-2022-22965) Block Disabled
99001016 MS-ThreatIntel-CVEs Attempted Spring Cloud Gateway Actuator injection (CVE-2022-22947) Block Disabled
99001017 MS-ThreatIntel-CVEs Attempted Apache Struts file upload exploitation (CVE-2023-50164) Block Disabled

PROTOCOL-ATTACK - Protocol attack

Rule ID Rule Group Description Action State CRS Source
921110 PROTOCOL-ATTACK HTTP Request Smuggling Attack Block Enabled source
921120 PROTOCOL-ATTACK HTTP Response Splitting Attack Block Enabled source
921130 PROTOCOL-ATTACK HTTP Response Splitting Attack Block Enabled source
921140 PROTOCOL-ATTACK HTTP Header Injection Attack via headers Block Enabled source
921150 PROTOCOL-ATTACK HTTP Header Injection Attack via payload (CR/LF detected) Block Enabled source
921160 PROTOCOL-ATTACK HTTP Header Injection Attack via payload (CR/LF and header-name detected) Block Enabled source
921151 PROTOCOL-ATTACK HTTP Header Injection Attack via payload (CR/LF detected) Block Enabled source

LFI - Local file inclusion

Rule ID Rule Group Description Action State CRS Source
930100 LFI Path Traversal Attack (/../) Block Enabled source
930110 LFI Path Traversal Attack (/../) Block Enabled source
930120 LFI OS File Access Attempt Block Enabled source
930130 LFI Restricted File Access Attempt Block Enabled source

RFI - Remote file inclusion

Rule ID Rule Group Description Action State CRS Source
931100 RFI Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address Block Enabled source
931110 RFI Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload Block Enabled source
931120 RFI Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?) Block Enabled source
931130 RFI Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link (replaced by rule #99032002) Block Enabled source

RCE - Remote Command Execution attacks

Rule ID Rule Group Description Action State CRS Source
932100 RCE Remote Command Execution: Unix Command Injection Block Enabled source
932105 RCE Remote Command Execution: Unix Command Injection Block Enabled source
932110 RCE Remote Command Execution: Windows Command Injection Block Enabled source
932115 RCE Remote Command Execution: Windows Command Injection Block Enabled source
932120 RCE Remote Command Execution: Windows PowerShell Command Found Block Enabled source
932130 RCE Remote Command Execution: Unix Shell Expression or Confluence Vulnerability (CVE-2022-26134) Found Block Enabled source
932140 RCE Remote Command Execution: Windows FOR/IF Command Found Block Enabled source
932150 RCE Remote Command Execution: Direct Unix Command Execution Block Enabled source
932160 RCE Remote Command Execution: Unix Shell Code Found Block Enabled source
932170 RCE Remote Command Execution: Shellshock (CVE-2014-6271) Block Enabled source
932171 RCE Remote Command Execution: Shellshock (CVE-2014-6271) Block Enabled source
932180 RCE Restricted File Upload Attempt Block Enabled source

PHP - PHP attacks

Rule ID Rule Group Description Action State CRS Source
933100 PHP PHP Injection Attack: PHP Open Tag Found Block Enabled source
933110 PHP PHP Injection Attack: PHP Script File Upload Found Block Enabled source
933120 PHP PHP Injection Attack: Configuration Directive Found Block Enabled source
933130 PHP PHP Injection Attack: Variables Found Block Enabled source
933140 PHP PHP Injection Attack: I/O Stream Found Block Enabled source
933150 PHP PHP Injection Attack: High-Risk PHP Function Name Found Block Enabled source
933151 PHP PHP Injection Attack: Medium-Risk PHP Function Name Found Block Enabled source
933160 PHP PHP Injection Attack: High-Risk PHP Function Call Found Block Enabled source
933170 PHP PHP Injection Attack: Serialized Object Injection Block Enabled source
933180 PHP PHP Injection Attack: Variable Function Call Found Block Enabled source

XSS - Cross-site scripting

Rule ID Rule Group Description Action State CRS Source
941100 XSS XSS Attack Detected via libinjection Block Enabled source
941101 XSS XSS Attack Detected via libinjection Block Enabled source
941110 XSS XSS Filter - Category 1: Script Tag Vector Block Enabled source
941120 XSS XSS Filter - Category 2: Event Handler Vector Block Enabled source
941130 XSS XSS Filter - Category 3: Attribute Vector Block Enabled source
941140 XSS XSS Filter - Category 4: Javascript URI Vector Block Enabled source
941150 XSS XSS Filter - Category 5: Disallowed HTML Attributes Block Enabled source
941160 XSS NoScript XSS InjectionChecker: HTML Injection Block Enabled source
941170 XSS NoScript XSS InjectionChecker: Attribute Injection Block Enabled source
941180 XSS Node-Validator Blacklist Keywords Block Enabled source
941190 XSS IE XSS Filters - Attack Detected. Block Enabled source
941200 XSS IE XSS Filters - Attack Detected. Block Enabled source
941210 XSS IE XSS Filters - Attack Detected. Block Enabled source
941220 XSS IE XSS Filters - Attack Detected. Block Enabled source
941230 XSS IE XSS Filters - Attack Detected. Block Enabled source
941240 XSS IE XSS Filters - Attack Detected. Block Enabled source
941250 XSS IE XSS Filters - Attack Detected. Block Enabled source
941260 XSS IE XSS Filters - Attack Detected. Block Enabled source
941270 XSS IE XSS Filters - Attack Detected. Block Enabled source
941280 XSS IE XSS Filters - Attack Detected. Block Enabled source
941290 XSS IE XSS Filters - Attack Detected. Block Enabled source
941300 XSS IE XSS Filters - Attack Detected. Block Enabled source
941310 XSS US-ASCII Malformed Encoding XSS Filter - Attack Detected. Block Enabled source
941320 XSS Possible XSS Attack Detected - HTML Tag Handler Block Enabled source
941330 XSS IE XSS Filters - Attack Detected. Block Enabled source
941340 XSS IE XSS Filters - Attack Detected. Block Enabled source
941350 XSS UTF-7 Encoding IE XSS - Attack Detected. Block Enabled source

SQLI - SQL injection

Rule ID Rule Group Description Action State CRS Source
942100 SQLI SQL Injection Attack Detected via libinjection Block Enabled source
942110 SQLI SQL Injection Attack: Common Injection Testing Detected Block Disabled source
942120 SQLI SQL Injection Attack: SQL Operator Detected Block Enabled source
942140 SQLI SQL Injection Attack: Common DB Names Detected Block Enabled source
942150 SQLI SQL Injection Attack Block Enabled source
942160 SQLI Detects blind sqli tests using sleep() or benchmark(). Block Enabled source
942170 SQLI Detects SQL benchmark and sleep injection attempts including conditional queries Block Enabled source
942180 SQLI Detects basic SQL authentication bypass attempts ⅓ Block Enabled source
942190 SQLI Detects MSSQL code execution and information gathering attempts Block Enabled source
942200 SQLI Detects MySQL comment-/space-obfuscated injections and backtick termination Block Enabled source
942210 SQLI Detects chained SQL injection attempts ½ Block Enabled source
942220 SQLI Looking for integer overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the "magic number" crash Block Enabled source
942230 SQLI Detects conditional SQL injection attempts Block Enabled source
942240 SQLI Detects MySQL charset switch and MSSQL DoS attempts Block Enabled source
942250 SQLI Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections Block Enabled source
942260 SQLI Detects basic SQL authentication bypass attempts ⅔ Block Enabled source
942270 SQLI Looking for basic sql injection. Common attack string for mysql, oracle and others. Block Enabled source
942280 SQLI Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts Block Enabled source
942290 SQLI Finds basic MongoDB SQL injection attempts Block Enabled source
942300 SQLI Detects MySQL comments, conditions and ch(a)r injections Block Enabled source
942310 SQLI Detects chained SQL injection attempts 2/2 Block Enabled source
942320 SQLI Detects MySQL and PostgreSQL stored procedure/function injections Block Enabled source
942330 SQLI Detects classic SQL injection probings ⅓ Block Enabled source
942340 SQLI Detects basic SQL authentication bypass attempts 3/3 Block Enabled source
942350 SQLI Detects MySQL UDF injection and other data/structure manipulation attempts Block Enabled source
942360 SQLI Detects concatenated basic SQL injection and SQLLFI attempts Block Enabled source
942361 SQLI Detects basic SQL injection based on keyword alter or union Block Enabled source
942370 SQLI Detects classic SQL injection probings ⅔ Block Enabled source
942380 SQLI SQL Injection Attack Block Enabled source
942390 SQLI SQL Injection Attack Block Enabled source
942400 SQLI SQL Injection Attack Block Enabled source
942410 SQLI SQL Injection Attack Block Enabled source
942430 SQLI Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) Block Disabled source
942440 SQLI SQL Comment Sequence Detected. Block Disabled source
942450 SQLI SQL Hex Encoding Identified Block Enabled source
942470 SQLI SQL Injection Attack Block Enabled source
942480 SQLI SQL Injection Attack Block Enabled source

FIX - Session Fixation attacks

Rule ID Rule Group Description Action State CRS Source
943100 FIX Possible Session Fixation Attack: Setting Cookie Values in HTML Block Enabled source
943110 FIX Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer Block Enabled source
943120 FIX Possible Session Fixation Attack: SessionID Parameter Name with No Referer Block Enabled source

JAVA - Java attacks

Rule ID Rule Group Description Action State CRS Source
944100 JAVA Remote Command Execution: Suspicious Java class detected Block Enabled source
944110 JAVA Remote Command Execution: Java process spawn (CVE-2017-9805) Block Enabled source
944120 JAVA Remote Command Execution: Java serialization (CVE-2015-5842) Block Enabled source
944130 JAVA Suspicious Java class detected Block Enabled source
944200 JAVA Magic bytes Detected, probable java serialization in use Block Enabled source
944210 JAVA Magic bytes Detected Base64 Encoded, probable java serialization in use Block Enabled source
944240 JAVA Remote Command Execution: Java serialization and Log4j vulnerability (CVE-2021-44228, CVE-2021-45046) Block Enabled source
944250 JAVA Remote Command Execution: Suspicious Java method detected Block Enabled source