exchange-bf Scenario

« exchange-bf »
v0.4 by crowdsecurity
Attack scenarioremediation:trueservice:exchangespoofable:0MITRE:T1110confidence:3

Detect Exchange bruteforce (SMTP,IMAP,POP3)

Installation

cscli scenarios install crowdsecurity/exchange-bf

YAML Configuration

1type: leaky
2name: crowdsecurity/exchange-bf
3description: "Detect Exchange bruteforce (SMTP,IMAP,POP3)"
4filter: evt.Meta.service == 'exchange' && evt.Meta.sub_type == 'auth_fail'
5groupby: evt.Meta.source_ip
6leakspeed: 10s
7capacity: 5
8blackhole: 1m
9labels:
10  confidence: 3
11  spoofable: 0
12  classification:
13    - attack.T1110
14  behavior: "pop3/imap:bruteforce"
15  label: "Microsoft Exchange Bruteforce"
16  remediation: true
17  service: exchange
18

Hub configuration

« exchange-bf »v0.4 by crowdsecurityAttack scenarioremediation:trueservice:exchangespoofable:0MITRE:T1110confidence:3

« exchange-bf »
v0.4 by crowdsecurity
Attack scenarioremediation:trueservice:exchangespoofable:0MITRE:T1110confidence:3