baikal-bf Scenario

« baikal-bf »
v0.5 by andreasbrett
Attack scenarioremediation:truetype:bruteforce service:baikalspoofable:0MITRE:T1110confidence:3

Detect Baikal bruteforce attacks

Installation

cscli scenarios install andreasbrett/baikal-bf

Description

Detect failed Baikal authentications:

leakspeed of 1m, capacity of 5 on source ip
leakspeed of 1m, capacity of 5 on source ip and unique distinct users

YAML Configuration

1# Baikal bruteforce
2type: leaky
3name: andreasbrett/baikal-bf
4description: "Detect Baikal bruteforce attacks"
5filter: "evt.Meta.log_type in ['baikal_failed_auth', 'baikal_failed_auth_no_user']"
6leakspeed: 1m
7capacity: 5
8groupby: evt.Meta.source_ip
9blackhole: 5m
10reprocess: true
11labels:
12    service: baikal
13    type: bruteforce
14    classification:
15      - attack.T1110
16    remediation: true
17    behavior: http:bruteforce
18    spoofable: 0
19    confidence: 3
20---
21# Baikal user-enum (only for web UI since Baikal doesn't log failed username for CalDAV/CardDAV access)
22type: leaky
23name: andreasbrett/baikal-bf_user-enum
24description: "Detect Baikal user enum bruteforce"
25filter: "evt.Meta.log_type == 'baikal_failed_auth'"
26groupby: evt.Meta.source_ip
27distinct: evt.Meta.username
28leakspeed: 1m
29capacity: 5
30blackhole: 5m
31labels:
32    service: baikal
33    type: bruteforce
34    remediation: true
35    behavior: http:bruteforce
36    spoofable: 0
37    confidence: 3
38    classification:
39      - attack.T1110

Hub configuration

« baikal-bf »v0.5 by andreasbrettAttack scenarioremediation:truetype:bruteforce service:baikalspoofable:0MITRE:T1110confidence:3

« baikal-bf »
v0.5 by andreasbrett
Attack scenarioremediation:truetype:bruteforce service:baikalspoofable:0MITRE:T1110confidence:3