keycloak-slow-bf Scenario

« keycloak-slow-bf »
v0.3 by inherent-io
Attack scenarioremediation:trueservice:keycloakspoofable:0MITRE:T1110confidence:3

Detect keycloak bruteforce

Installation

cscli scenarios install inherent-io/keycloak-slow-bf

Description

Detect failed Keycloak authentications :

leakspeed of 60s, capacity of 10 on same target user
leakspeed of 60s, capacity of 10 unique distinct users

YAML Configuration

1type: leaky
2name: inherent-io/keycloak-slow-bf
3description: "Detect keycloak bruteforce"
4filter: evt.Meta.service == "keycloak" && evt.Meta.error in ['user_not_found', 'invalid_user_credentials']
5leakspeed: "60s"
6capacity: 10
7groupby: evt.Meta.source_ip
8blackhole: 1m
9reprocess: true
10labels:
11  service: keycloak
12  confidence: 3
13  spoofable: 0
14  classification:
15    - attack.T1110
16  label: "Keycloak Bruteforce"
17  behavior: "http:bruteforce"
18  remediation: true
19---
20type: leaky
21name: inherent-io/keycloak-user-enum-slow-bf
22description: "Detect keycloak user enum bruteforce"
23filter: evt.Meta.service == "keycloak" && evt.Meta.error in ['user_not_found', 'invalid_user_credentials']
24leakspeed: "60s"
25capacity: 10
26groupby: evt.Meta.source_ip
27distinct: evt.Meta.username
28blackhole: 1m
29reprocess: true
30labels:
31  service: keycloak
32  confidence: 3
33  spoofable: 0
34  classification:
35    - attack.T1589
36  label: "Keycloak Bruteforce"
37  behavior: "http:bruteforce"
38  remediation: true
39

Hub configuration

« keycloak-slow-bf »v0.3 by inherent-ioAttack scenarioremediation:trueservice:keycloakspoofable:0MITRE:T1110confidence:3

« keycloak-slow-bf »
v0.3 by inherent-io
Attack scenarioremediation:trueservice:keycloakspoofable:0MITRE:T1110confidence:3