pterodactyl-wings-bf Scenario

« pterodactyl-wings-bf »
v0.4 by lourys
Attack scenarioremediation:trueservice:pterodactylspoofable:0MITRE:T1110confidence:3

Detect invalid_format ssh bruteforce

Installation

cscli scenarios install lourys/pterodactyl-wings-bf

Description

Detect failed pterodactyl wings authentications:

Invalid format (this means that someone is trying out a username that doesn't match the correct format):

leakspeed of 15m, capacity of 5 on same target user
leakspeed of 15m, capacity of 5 unique distinct users

Invalid username/password:

leakspeed of 5m, capacity of 10

YAML Configuration

1####################
2## Invalid format ##
3####################
4type: leaky
5name: lourys/pterodactyl-wings-bf
6description: "Detect invalid_format ssh bruteforce"
7filter: "evt.Meta.log_type == 'pterodactly_wings_invalid_format'"
8leakspeed: 15m
9capacity: 5
10groupby: evt.Meta.source_ip
11blackhole: 30m
12reprocess: true
13labels:
14  service: pterodactyl
15  classification:
16    - attack.T1110
17  spoofable: 0
18  confidence: 3
19  behavior: "ssh:bruteforce"
20  label: "Pterodactyl Wing Bruteforce"
21  remediation: true
22---
23type: leaky
24name: lourys/pterodactyl-wings-bf
25description: "Detect invalid_format ssh user enum bruteforce"
26filter: evt.Meta.log_type == 'pterodactly_wings_invalid_format'
27groupby: evt.Meta.source_ip
28distinct: evt.Meta.target_user
29leakspeed: 15m
30capacity: 5
31blackhole: 30m
32labels:
33  service: pterodactyl
34  classification:
35    - attack.T1087
36  spoofable: 0
37  confidence: 3
38  behavior: "ssh:bruteforce"
39  label: "Pterodactyl Wing Bruteforce"
40  remediation: true
41
42###############################
43## Invalid username/password ##
44###############################
45---
46type: leaky
47name: lourys/pterodactyl-wings-bf
48description: "Detect invalid_username_or_password ssh bruteforce"
49filter: evt.Meta.log_type == 'pterodactly_wings_invalid_username_or_password'
50groupby: evt.Meta.source_ip
51leakspeed: 5m
52capacity: 10
53blackhole: 5m
54labels:
55  service: pterodactyl
56  classification:
57    - attack.T1110
58  spoofable: 0
59  confidence: 3
60  behavior: "ssh:bruteforce"
61  label: "Pterodactyl Wing Bruteforce"
62  remediation: true
63

Hub configuration

« pterodactyl-wings-bf »v0.4 by lourysAttack scenarioremediation:trueservice:pterodactylspoofable:0MITRE:T1110confidence:3

« pterodactyl-wings-bf »
v0.4 by lourys
Attack scenarioremediation:trueservice:pterodactylspoofable:0MITRE:T1110confidence:3