kasm-bruteforce Scenario

« kasm-bruteforce »
v0.2 by crowdsecurity
Attack scenarioremediation:trueservice:kasmspoofable:0MITRE:T1110confidence:3

Detect kasm login bruteforce

Installation

cscli scenarios install crowdsecurity/kasm-bruteforce

Description

Detect KASM login bruteforce 5 attempts with leakspeed of 10 seconds

YAML Configuration

1type: leaky
2name: crowdsecurity/kasm-bruteforce
3description: "Detect kasm login bruteforce"
4filter: "evt.Meta.metric_name in ['account.login.failed_invalid_user', 'account.login.failed_invalid_password']"
5leakspeed: "10s"
6capacity: 3
7groupby: evt.Meta.source_ip
8blackhole: 1m
9reprocess: true
10labels:
11  remediation: true
12  classification:
13    - attack.T1110
14  behavior: "generic:bruteforce"
15  label: "KASM Bruteforce"
16  spoofable: 0
17  confidence: 3
18  service: kasm
19

Hub configuration

« kasm-bruteforce »v0.2 by crowdsecurityAttack scenarioremediation:trueservice:kasmspoofable:0MITRE:T1110confidence:3

« kasm-bruteforce »
v0.2 by crowdsecurity
Attack scenarioremediation:trueservice:kasmspoofable:0MITRE:T1110confidence:3