dockge-bf Scenario

« dockge-bf »
v0.3 by LearningSpot
Attack scenarioremediation:trueservice:dockgespoofable:0MITRE:T1110confidence:3

Detect Dockge Bruteforce

Installation

cscli scenarios install LearningSpot/dockge-bf

Description

Detect failed authentications for Dockge:

leakspeed of 1m, capacity of 5, blackhole of 5m on source ip and user enumeration

YAML Configuration

1# Dockge Bruteforce
2type: leaky
3name: LearningSpot/dockge-bf
4description: "Detect Dockge Bruteforce"
5filter: evt.Meta.log_type == 'dockge_failed_auth'
6groupby: evt.Meta.source_ip
7leakspeed: 1m
8capacity: 5
9blackhole: 5m
10labels:
11  service: dockge
12  classification:
13    - attack.T1110
14  behavior: "http:bruteforce"
15  confidence: 3
16  spoofable: 0
17  label: "Dockge Bruteforce"
18  remediation: true
19---
20# Dockge User Enumeration
21type: leaky
22name: LearningSpot/dockge_bf_user_enum
23description: "Detect Dockge User Enumeration Bruteforce"
24filter: evt.Meta.log_type == 'dockge_failed_auth'
25distinct: evt.Meta.username
26groupby: evt.Meta.source_ip
27leakspeed: 1m
28capacity: 5
29blackhole: 5m
30labels:
31  service: dockge
32  classification:
33    - attack.T1589
34    - attack.T1110
35  behavior: "http:bruteforce"
36  confidence: 3
37  spoofable: 0
38  label: "Dockge User Enumeration"
39  remediation: true
40

Hub configuration

« dockge-bf »v0.3 by LearningSpotAttack scenarioremediation:trueservice:dockgespoofable:0MITRE:T1110confidence:3

« dockge-bf »
v0.3 by LearningSpot
Attack scenarioremediation:trueservice:dockgespoofable:0MITRE:T1110confidence:3