Identifies HTTP requests containing the androxgh0st payload marker in the request body, indicative of automated exploitation or scanning activity associated with Androxgh0st campaigns targeting exposed web applications and misconfigured services.

Identifies HTTP GET requests targeting /.git/config, indicating attempts to access exposed Git repository configuration files. Successful access may enable repository reconstruction, credential harvesting, or source code disclosure.

Identifies HTTP sessions where WordPress authentication is attempted through URL-encoded form credential submission. This pattern is commonly associated with automated login probing, credential stuffing frameworks, or scripted reconnaissance against WordPress admin authentication workflows.

HTTP request using GET method.

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.