authentik-bf Scenario

« authentik-bf »
v0.2 by firix
Attack scenarioremediation:trueservice:authentikspoofable:0MITRE:T1110confidence:3

Detect authentik bruteforce

Installation

cscli scenarios install firix/authentik-bf

Description

Detect failed authentik authentications:

leakspeed of 20s, capacity of 5 on same target user
leakspeed of 1m, capacity of 5 unique distinct users

YAML Configuration

1# Authentik BF scan
2type: leaky
3name: firix/authentik-bf
4description: "Detect authentik bruteforce"
5filter: evt.Meta.log_type in ['authentik_failed_auth', 'authentik_invalid_username']
6groupby: evt.Meta.source_ip
7leakspeed: 20s
8capacity: 5
9blackhole: 1m
10labels:
11  service: authentik
12  behavior: "http:bruteforce"
13  spoofable: 0
14  confidence: 3
15  classification:
16    - attack.T1110
17  label: "Authentik Bruteforce"
18  remediation: true
19---
20# Authentik user-enum
21type: leaky
22name: firix/authentik-bf_user-enum
23description: "Detect authentik user enum bruteforce"
24filter: evt.Meta.log_type in ['authentik_failed_auth', 'authentik_invalid_username']
25groupby: evt.Meta.source_ip
26distinct: evt.Meta.username
27leakspeed: 1m
28capacity: 5
29blackhole: 1m
30labels:
31  service: authentik
32  behavior: "http:bruteforce"
33  spoofable: 0
34  confidence: 3
35  classification:
36    - attack.T1589
37    - attack.T1110
38  label: "Authentik User Enumeration"
39  remediation: true 
40

Hub configuration

« authentik-bf »v0.2 by firixAttack scenarioremediation:trueservice:authentikspoofable:0MITRE:T1110confidence:3

« authentik-bf »
v0.2 by firix
Attack scenarioremediation:trueservice:authentikspoofable:0MITRE:T1110confidence:3