webmin-bf Scenario

« webmin-bf »
v0.2 by andreasbrett
Attack scenarioremediation:trueservice:webminspoofable:0MITRE:T1110confidence:3

Detect Webmin bruteforce attacks

Installation

cscli scenarios install andreasbrett/webmin-bf

Description

Detect failed Webmin authentications:

leakspeed of 1m, capacity of 5 on source ip
leakspeed of 1m, capacity of 5 on source ip and unique distinct users

YAML Configuration

1# Webmin bruteforce
2type: leaky
3name: andreasbrett/webmin-bf
4description: "Detect Webmin bruteforce attacks"
5filter: "evt.Meta.log_type == 'webmin_failed_auth_wrong_pass'"
6leakspeed: 1m
7capacity: 5
8groupby: evt.Meta.source_ip
9blackhole: 5m
10reprocess: true
11labels:
12    service: webmin
13    confidence: 3
14    spoofable: 0
15    classification:
16        - attack.T1110
17    label: "Webmin Bruteforce"
18    behavior: "http:bruteforce"
19    remediation: true
20---
21# Webmin user-enum
22type: leaky
23name: andreasbrett/webmin-bf_user-enum
24description: "Detect Webmin user enum bruteforce"
25filter: "evt.Meta.log_type == 'webmin_failed_auth_wrong_pass'"
26groupby: evt.Meta.source_ip
27distinct: evt.Meta.username
28leakspeed: 1m
29capacity: 5
30blackhole: 5m
31labels:
32    service: webmin
33    confidence: 3
34    spoofable: 0
35    classification:
36        - attack.T1589
37    label: "Webmin Bruteforce"
38    behavior: "http:bruteforce"
39    remediation: true
40

Hub configuration

« webmin-bf »v0.2 by andreasbrettAttack scenarioremediation:trueservice:webminspoofable:0MITRE:T1110confidence:3

« webmin-bf »
v0.2 by andreasbrett
Attack scenarioremediation:trueservice:webminspoofable:0MITRE:T1110confidence:3