apereo-cas-slow-bf Scenario

« apereo-cas-slow-bf »
v0.2 by jusabatier
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1110confidence:3

Detect slow CAS bruteforce

Installation

cscli scenarios install jusabatier/apereo-cas-slow-bf

Description

Detect slow CAS bruteforce authentications :

leakspeed of 60s, capacity of 10 on same target user
leakspeed of 60s, capacity of 10 unique distinct users

YAML Configuration

1# CAS bruteforce
2type: leaky
3name: jusabatier/cas-slow-bf
4description: "Detect slow CAS bruteforce"
5filter: "evt.Meta.log_type == 'cas_failed-auth'"
6leakspeed: "60s"
7references:
8  - http://wikipedia.com/cas-bf-is-bad
9capacity: 10
10groupby: evt.Meta.source_ip
11blackhole: 1m
12reprocess: true
13labels:
14  service: http
15  confidence: 3
16  spoofable: 0
17  classification:
18    - attack.T1110
19  behavior: "http:bruteforce"
20  label: "CAS Slow Bruteforce"
21  remediation: true
22---
23# cas user-enum
24type: leaky
25name: jusabatier/cas-slow-bf_user-enum
26description: "Detect slow CAS user enum bruteforce"
27filter: evt.Meta.log_type == 'cas_failed-auth'
28groupby: evt.Meta.source_ip
29distinct: evt.Meta.target_user
30leakspeed: 60s
31capacity: 10
32blackhole: 1m
33labels:
34  service: http
35  confidence: 3
36  spoofable: 0
37  classification:
38    - attack.T1589
39    - attack.T1110
40  behavior: "http:bruteforce"
41  label: "CAS Slow User Enum Bruteforce"
42  remediation: true
43

Hub configuration

« apereo-cas-slow-bf »v0.2 by jusabatierAttack scenarioremediation:trueservice:httpspoofable:0MITRE:T1110confidence:3

« apereo-cas-slow-bf »
v0.2 by jusabatier
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1110confidence:3