asterisk_user_enum Scenario

« asterisk_user_enum »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:asteriskspoofable:0MITRE:T1087MITRE:T1589MITRE:T1110confidence:3

Detect Asterisk user enumeration bruteforce

Installation

cscli scenarios install crowdsecurity/asterisk_user_enum

YAML Configuration

1type: leaky
2name: crowdsecurity/asterisk_user_enum
3description: "Detect Asterisk user enumeration bruteforce"
4filter: evt.Meta.log_type == 'asterisk_failed_auth'
5groupby: evt.Meta.source_ip
6distinct: evt.Meta.target_user
7leakspeed: 10s
8capacity: 5
9blackhole: 1m
10labels:
11  service: asterisk
12  confidence: 3
13  spoofable: 0
14  classification:
15    - attack.T1087
16    - attack.T1589.001
17    - attack.T1110
18  behavior: "sip:bruteforce"
19  label: "Asterisk User Enumeration"
20  remediation: true
21

Hub configuration

« asterisk_user_enum »v0.3 by crowdsecurityAttack scenarioremediation:trueservice:asteriskspoofable:0MITRE:T1087MITRE:T1589MITRE:T1110confidence:3

« asterisk_user_enum »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:asteriskspoofable:0MITRE:T1087MITRE:T1589MITRE:T1110confidence:3