lemonldap-ng-bf Scenario

« lemonldap-ng-bf »
v0.2 by firewallservices
Attack scenarioremediation:trueservice:ldapspoofable:0MITRE:T1110confidence:3

Detect Lemonldap::NG bruteforce

Installation

cscli scenarios install firewallservices/lemonldap-ng-bf

Description

Detect failed Lemonldap::NG authentications :

leakspeed of 30s, capacity of 5 on same target user
leakspeed of 2m, capacity of 5 unique distinct users

YAML Configuration

1# Lemonldap::NG brutforce
2type: leaky
3#debug: true
4name: firewallservices/lemonldap-ng-bf
5description: "Detect Lemonldap::NG bruteforce"
6filter: evt.Meta.service == 'llng' and evt.Meta.log_type == 'llng_auth_fail'
7leakspeed: 30s
8capacity: 5
9groupby: evt.Meta.source_ip
10blackhole: 1m
11reprocess: true
12labels:
13  service: ldap
14  confidence: 3
15  spoofable: 0
16  classification:
17    - attack.T1110
18  behavior: "ldap:bruteforce"
19  label: "LemonLDAP Bruteforce"
20  remediation: true
21
22---
23# Lemonldap::NG user enumeration
24type: leaky
25#debug: true
26name: firewallservices/lemonldap-ng-user-enum
27description: "Detect Lemonldap::NG user enum bruteforce"
28filter: evt.Meta.service == 'llng' and evt.Meta.log_type == 'llng_auth_fail'
29groupby: evt.Meta.source_ip
30distinct: evt.Meta.user
31leakspeed: 2m
32capacity: 5
33blackhole: 1m
34labels:
35  service: ldap
36  confidence: 3
37  spoofable: 0
38  classification:
39    - attack.T1110
40    - attack.T1595
41  behavior: "ldap:bruteforce"
42  label: "LemonLDAP User Enum Bruteforce"
43  remediation: true
44

Hub configuration

« lemonldap-ng-bf »v0.2 by firewallservicesAttack scenarioremediation:trueservice:ldapspoofable:0MITRE:T1110confidence:3

« lemonldap-ng-bf »
v0.2 by firewallservices
Attack scenarioremediation:trueservice:ldapspoofable:0MITRE:T1110confidence:3