http-backdoors-attempts Configuration

« http-backdoors-attempts »
v0.6 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:3

Detect attempt to common backdoors

Installation

cscli scenarios install crowdsecurity/http-backdoors-attempts

Description

Detect attempts to access common backdoors such as c99.php ...

This scenario will be trigger if an attacker requests a minimum of two differents file of the list/

Configuration:

distinct : evt.Parsed.request (HTTP request URI)

leakspeed : 5 secondes

group_by : evt.Meta.source_ip

This scenario use the following list backdoors.txt from danielmiessler

YAML Configuration

1type: leaky
2#debug: true
3name: crowdsecurity/http-backdoors-attempts
4description: "Detect attempt to common backdoors"
5filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] and any(File("backdoors.txt"), { evt.Parsed.file_name == #})'
6groupby: "evt.Meta.source_ip"
7distinct: evt.Parsed.file_name
8data:
9  - source_url: https://hub-data.crowdsec.net/web/backdoors.txt
10    dest_file: backdoors.txt
11    type: string
12capacity: 1
13leakspeed: 5s
14blackhole: 5m
15labels:
16  confidence: 3
17  spoofable: 0
18  classification:
19    - attack.T1595
20  behavior: "http:exploit"
21  label: "Scanning for backdoors"
22  service: http
23  remediation: true
24

Hub configuration

« http-backdoors-attempts »v0.6 by crowdsecurityAttack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:3

« http-backdoors-attempts »
v0.6 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:3