http-wordpress-scan Scenario

« http-wordpress-scan »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:wordpressspoofable:0MITRE:T1595confidence:3

Detect exploitation attempts against common WordPress endpoints

Installation

cscli scenarios install crowdsecurity/http-wordpress-scan

YAML Configuration

1type: leaky
2name: crowdsecurity/http-wordpress-scan
3description: "Detect exploitation attempts against common WordPress endpoints"
4filter: |
5  evt.Meta.service == 'http' and 
6  evt.Meta.log_type in ['http_access-log', 'http_error-log'] and 
7  evt.Meta.http_status in ['404', '403'] and
8  Lower(evt.Meta.http_path) contains "/wp-" and
9  Lower(evt.Meta.http_path) endsWith ".php"
10groupby: evt.Meta.source_ip
11distinct: evt.Meta.http_path
12capacity: 3
13leakspeed: "10s"
14blackhole: 5m
15labels:
16  remediation: true
17  classification:
18    - attack.T1595
19  behavior: "http:scan"
20  label: "WordPress Vuln Hunting"
21  spoofable: 0
22  service: wordpress
23  confidence: 3
24

Hub configuration

« http-wordpress-scan »v0.3 by crowdsecurityAttack scenarioremediation:trueservice:wordpressspoofable:0MITRE:T1595confidence:3

« http-wordpress-scan »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:wordpressspoofable:0MITRE:T1595confidence:3