mikrotik-bf Scenario

« mikrotik-bf »
v0.2 by a1ad
Attack scenarioremediation:trueservice:mikrotikspoofable:0MITRE:T1110confidence:3

Detect Mikrotik bruteforce

Installation

cscli scenarios install a1ad/mikrotik-bf

Description

Detect failed Mikrotik authentications:

leakspeed of 20s, capacity of 5 on same target user
leakspeed of 1m, capacity of 5 unique distinct users

YAML Configuration

1# Mikrotik BF scan
2name: a1ad/mikrotik-bf
3description: "Detect Mikrotik bruteforce"
4filter: "evt.Meta.log_type == 'mikrotik_failed_auth'"
5#debug: true
6type: leaky
7groupby: evt.Meta.source_ip
8leakspeed: "20s"
9capacity: 5
10blackhole: 1m
11labels:
12  service: mikrotik
13  behavior: "iot:bruteforce"
14  classification:
15    - attack.T1110
16  spoofable: 0
17  confidence: 3
18  label: "Mikrotik Bruteforce"
19  remediation: true
20---
21# meshcentral user-enum
22type: leaky
23name: a1ad/mikrotik-bf_user-enum
24description: "Detect mikrotik user enum bruteforce"
25filter: "evt.Meta.log_type == 'mikrotik_failed_auth'"
26groupby: evt.Meta.source_ip
27distinct: evt.Meta.user
28leakspeed: 10s
29capacity: 5
30blackhole: 1m
31labels:
32  service: mikrotik
33  behavior: "iot:bruteforce"
34  classification:
35    - attack.T1589
36    - attack.T1110
37  spoofable: 0
38  confidence: 3
39  label: "Mikrotik User Enumeration"
40  remediation: true
41

Hub configuration

« mikrotik-bf »v0.2 by a1adAttack scenarioremediation:trueservice:mikrotikspoofable:0MITRE:T1110confidence:3

« mikrotik-bf »
v0.2 by a1ad
Attack scenarioremediation:trueservice:mikrotikspoofable:0MITRE:T1110confidence:3