vaultwarden-bf Scenario

« vaultwarden-bf »
v0.3 by Dominic-Wagner
Attack scenarioremediation:trueservice:vaultwardenspoofable:0MITRE:T1110confidence:3

Detect vaultwarden bruteforce

Installation

cscli scenarios install Dominic-Wagner/vaultwarden-bf

Description

Detect failed vaultwarden authentications:

leakspeed of 1m, capacity of 5 on source ip
leakspeed of 1m, capacity of 5 on source ip and unique distinct users

YAML Configuration

1# vaultwarden bruteforce
2type: leaky
3name: Dominic-Wagner/vaultwarden-bf
4description: "Detect vaultwarden bruteforce"
5filter: "evt.Meta.log_type in ['vaultwarden_failed_auth', 'vaultwarden_failed_admin_auth', 'vaultwarden_failed_2fa_totp', 'vaultwarden_failed_2fa_email']"
6leakspeed: 1m
7capacity: 5
8groupby: evt.Meta.source_ip
9blackhole: 5m
10reprocess: true
11labels:
12  service: vaultwarden
13  behavior: "generic:bruteforce"
14  classification:
15    - attack.T1110
16  label: "Vaultwarden Bruteforce"
17  spoofable: 0
18  confidence: 3
19  remediation: true
20---
21# vaultwarden user-enum
22type: leaky
23name: Dominic-Wagner/vaultwarden-bf_user-enum
24description: "Detect vaultwarden user enum bruteforce"
25filter: evt.Meta.log_type == 'vaultwarden_failed_auth'
26groupby: evt.Meta.source_ip
27distinct: evt.Meta.username
28leakspeed: 1m
29capacity: 5
30blackhole: 5m
31reprocess: true
32labels:
33  service: vaultwarden
34  behavior: "generic:bruteforce"
35  classification:
36    - attack.T1589
37    - attack.T1110
38  label: "Vaultwarden User Enumeration"
39  spoofable: 0
40  confidence: 3
41  remediation: true
42

Hub configuration

« vaultwarden-bf »v0.3 by Dominic-WagnerAttack scenarioremediation:trueservice:vaultwardenspoofable:0MITRE:T1110confidence:3

« vaultwarden-bf »
v0.3 by Dominic-Wagner
Attack scenarioremediation:trueservice:vaultwardenspoofable:0MITRE:T1110confidence:3