hestiacp-bf Scenario

« hestiacp-bf »
v0.1 by LearningSpot
Attack scenarioremediation:trueservice:hestiacpspoofable:0MITRE:T1110confidence:3

Detect Hestiacp Bruteforce

Installation

cscli scenarios install LearningSpot/hestiacp-bf

Description

Detect failed authentications for Hestiacp :

leakspeed of 1m, capacity of 5, blackhole of 1m on source ip and user enumeration

YAML Configuration

1# Hestiacp Bruteforce
2type: leaky
3name: LearningSpot/hestiacp-bf
4description: "Detect Hestiacp Bruteforce"
5filter: evt.Meta.log_type == 'hestiacp_failed_auth'
6groupby: evt.Meta.source_ip
7leakspeed: 1m
8capacity: 5
9blackhole: 1m
10labels:
11  service: hestiacp
12  classification:
13    - attack.T1110
14  behavior: "http:bruteforce"
15  confidence: 3
16  spoofable: 0
17  label: "hestiacp Bruteforce"
18  remediation: true
19---
20# Hestiacp User Enumeration
21type: leaky
22name: LearningSpot/hestiacp-bf-user-enum
23description: "Detect Hestiacp User Enumeration Bruteforce"
24filter: evt.Meta.log_type == 'hestiacp_failed_auth'
25distinct: evt.Meta.target_user
26groupby: evt.Meta.source_ip
27leakspeed: 1m
28capacity: 5
29blackhole: 1m
30labels:
31  service: hestiacp
32  classification:
33    - attack.T1589
34    - attack.T1110
35  behavior: "http:bruteforce"
36  confidence: 3
37  spoofable: 0
38  label: "Hestiacp User Enumeration"
39  remediation: true
40

Hub configuration

« hestiacp-bf »v0.1 by LearningSpotAttack scenarioremediation:trueservice:hestiacpspoofable:0MITRE:T1110confidence:3

« hestiacp-bf »
v0.1 by LearningSpot
Attack scenarioremediation:trueservice:hestiacpspoofable:0MITRE:T1110confidence:3