windows-bf Scenario

« windows-bf »
v0.2 by crowdsecurity
Attack scenarioremediation:trueservice:windowsspoofable:0MITRE:T1110confidence:3

Detect windows auth bruteforce

Installation

cscli scenarios install crowdsecurity/windows-bf

Description

Detects BF against services using windows authentication (RDP, SMB, OWA, ...).

Buckets have a capacity of 5 and a leakspeed of 10s.

YAML Configuration

1# windows auth bruteforce
2type: leaky
3name: crowdsecurity/windows-bf
4description: "Detect windows auth bruteforce"
5filter: "evt.Meta.log_type == 'windows_failed_auth'"
6leakspeed: "10s"
7capacity: 5
8groupby: evt.Meta.source_ip
9blackhole: 1m
10reprocess: true
11labels:
12  confidence: 3
13  spoofable: 0
14  classification:
15    - attack.T1110
16  behavior: "windows:bruteforce"
17  label: "Windows Bruteforce"
18  remediation: true
19  service: windows
20

Hub configuration

« windows-bf »v0.2 by crowdsecurityAttack scenarioremediation:trueservice:windowsspoofable:0MITRE:T1110confidence:3

« windows-bf »
v0.2 by crowdsecurity
Attack scenarioremediation:trueservice:windowsspoofable:0MITRE:T1110confidence:3