http-wordpress_wpconfig Configuration

« http-wordpress_wpconfig »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:wordpressspoofable:0MITRE:T1595confidence:3

Detect WordPress probing: variations around wp-config.php by wpscan

Installation

cscli scenarios install crowdsecurity/http-wordpress_wpconfig

Description

Detects probing to find alternate wp-config file, such as done by wpscan.

leakspeed of 10s, capacity of 5

YAML Configuration

1type: leaky
2name: crowdsecurity/http-wordpress_wpconfig
3description: "Detect WordPress probing: variations around wp-config.php by wpscan"
4debug: false
5filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name contains 'wp-config.php'"
6groupby: evt.Meta.source_ip
7distinct: evt.Parsed.file_name
8capacity: 5
9leakspeed: "10s"
10blackhole: 5m
11labels:
12  remediation: true
13  classification:
14    - attack.T1595
15  behavior: "http:scan"
16  label: "Access to WordPress wp-config.php"
17  spoofable: 0
18  confidence: 3
19  service: wordpress
20

Hub configuration

« http-wordpress_wpconfig »v0.3 by crowdsecurityAttack scenarioremediation:trueservice:wordpressspoofable:0MITRE:T1595confidence:3

« http-wordpress_wpconfig »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:wordpressspoofable:0MITRE:T1595confidence:3