miniflux-bf Scenario

« miniflux-bf »
v0.1 by jbowdre
Attack scenarioremediation:trueservice:minifluxspoofable:0MITRE:T1110confidence:3

Detect miniflux bruteforce

Installation

cscli scenarios install jbowdre/miniflux-bf

Description

Detect failed Miniflux authentications:

leakspeed of 20s, capacity of 5 on same target user
leakspeed of 1m, capacity of 5 unique distinct users

YAML Configuration

1# miniflux BF scan
2name: jbowdre/miniflux-bf
3description: "Detect miniflux bruteforce"
4filter: "evt.Meta.log_type == 'miniflux_failed_auth'"
5type: leaky
6groupby: evt.Meta.source_ip
7leakspeed: 20s
8capacity: 5
9blackhole: 1m
10labels:
11  service: miniflux
12  confidence: 3
13  spoofable: 0
14  classification:
15    - attack.T1110
16  label: "Miniflux Bruteforce"
17  behavior: "http:bruteforce"
18  remediation: true
19---
20# miniflux user-enum
21type: leaky
22name: jbowdre/miniflux-bf_user-enum
23description: "Detect miniflux user enum bruteforce"
24filter: "evt.Meta.log_type == 'miniflux_failed_auth'"
25groupby: evt.Meta.source_ip
26distinct: evt.Meta.user
27leakspeed: 1m
28capacity: 5
29blackhole: 1m
30labels:
31  service: miniflux
32  confidence: 3
33  spoofable: 0
34  classification:
35    - attack.T1589
36  label: "Miniflux Bruteforce"
37  behavior: "http:bruteforce"
38  remediation: true
39
40

Hub configuration

« miniflux-bf »v0.1 by jbowdreAttack scenarioremediation:trueservice:minifluxspoofable:0MITRE:T1110confidence:3

« miniflux-bf »
v0.1 by jbowdre
Attack scenarioremediation:trueservice:minifluxspoofable:0MITRE:T1110confidence:3