Hub configuration

More info

http-w00tw00t Scenario

« http-w00tw00t »
v0.3 by ltsich
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:3

detect w00tw00t

Installation

cscli scenarios install ltsich/http-w00tw00t

Description

trigger scenario to detect w00tw00t pattern used by http vulnerability scanner, see this ressource

Contributed by https://github.com/LtSich

YAML Configuration

1#contributed by ltsich
2type: trigger
3name: ltsich/http-w00tw00t
4description: "detect w00tw00t"
5debug: false
6filter: "evt.Meta.log_type == 'http_access-log' and (
7  evt.Parsed.file_name contains 'w00tw00t.at.ISC.SANS.DFind' or
8  Lower(evt.Meta.http_path) == '/core/skin/login.aspx'
9  )"
10groupby: evt.Meta.source_ip
11blackhole: 5m
12labels:
13  service: http
14  classification:
15    - attack.T1595
16  spoofable: 0
17  confidence: 3
18  behavior: "http:scan"
19  label: "w00t w00t Scanner"
20  remediation: true
21

Hub configuration

« http-w00tw00t »v0.3 by ltsichAttack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:3

« http-w00tw00t »
v0.3 by ltsich
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1595confidence:3