teleport-bf Scenario

« teleport-bf »
v0.1 by crowdsecurity
Attack scenarioremediation:truetype:bruteforce service:teleportspoofable:0MITRE:T1110confidence:3

detect teleport bruteforce

Installation

cscli scenarios install crowdsecurity/teleport-bf

Description

Scenarios to detect teleport authentication bruteforce attacks.

YAML Configuration

1type: leaky
2name: crowdsecurity/teleport-bf
3description: "detect teleport bruteforce"
4filter: | 
5  evt.Meta.service == 'teleport' &&
6  evt.Meta.sub_type in ['auth', 'user.login'] &&
7  evt.Meta.success == 'false'
8groupby: evt.Meta.source_ip
9capacity: 5
10leakspeed: "10s"
11blackhole: 5m
12labels:
13 service: teleport
14 type: bruteforce
15 remediation: true
16 confidence: 3
17 spoofable: 0
18 classification:
19    - attack.T1110
20 label: "Teleport Bruteforce"
21 behavior: "teleport:bruteforce"
22---
23type: leaky
24name: crowdsecurity/teleport-slow-bf
25description: "detect slow teleport bruteforce"
26filter: | 
27  evt.Meta.service == 'teleport' &&
28  evt.Meta.sub_type in ['auth', 'user.login'] &&
29  evt.Meta.success == 'false'
30groupby: evt.Meta.source_ip
31capacity: 10
32leakspeed: 1m
33blackhole: 5m
34labels:
35 service: teleport
36 type: bruteforce
37 remediation: true
38 confidence: 3
39 spoofable: 0
40 classification:
41    - attack.T1110
42 label: "Teleport Bruteforce"
43 behavior: "teleport:bruteforce"

Hub configuration

« teleport-bf »v0.1 by crowdsecurityAttack scenarioremediation:truetype:bruteforce service:teleportspoofable:0MITRE:T1110confidence:3

« teleport-bf »
v0.1 by crowdsecurity
Attack scenarioremediation:truetype:bruteforce service:teleportspoofable:0MITRE:T1110confidence:3