http-bf-wordpress_bf_xmlrpc Scenario

« http-bf-wordpress_bf_xmlrpc »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:wordpressspoofable:0MITRE:T1110confidence:3

Detect WordPress bruteforce on XML-RPC endpoint

Installation

cscli scenarios install crowdsecurity/http-bf-wordpress_bf_xmlrpc

Description

Detects bruteforce on wordpress API 'xmlrpc.php'.

Warning: Some plugin heavily rely on the xmlrpc, by enabling this scenario you could block your own server. Be sure to check the source of the calls on the XMLRPC API before enabling this.

leakspeed of 2m, capacity of 5

YAML Configuration

1type: leaky
2name: crowdsecurity/http-bf-wordpress_bf_xmlrpc
3description: "Detect WordPress bruteforce on XML-RPC endpoint"
4debug: false
5# XMLRPC always returns 200
6filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name == 'xmlrpc.php' && evt.Parsed.verb == 'POST'"
7groupby: evt.Meta.source_ip
8capacity: 5
9leakspeed: 2m
10blackhole: 5m
11labels:
12  confidence: 3
13  spoofable: 0
14  classification:
15    - attack.T1110
16  behavior: "http:bruteforce"
17  label: "WP XMLRPC bruteforce"
18  service: wordpress
19  remediation: true
20

Hub configuration

« http-bf-wordpress_bf_xmlrpc »v0.3 by crowdsecurityAttack scenarioremediation:trueservice:wordpressspoofable:0MITRE:T1110confidence:3

« http-bf-wordpress_bf_xmlrpc »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:wordpressspoofable:0MITRE:T1110confidence:3