gitlab-bf Configuration

« gitlab-bf »
v0.2 by timokoessler
Attack scenarioremediation:trueservice:gitlabspoofable:0MITRE:T1110confidence:3

Detect gitlab bruteforce

Installation

cscli scenarios install timokoessler/gitlab-bf

Description

Detect failed GitLab authentications:

leakspeed of 20s, capacity of 5 on source ip
leakspeed of 40s, capacity of 5 on source ip and unique distinct users

YAML Configuration

1# gitlab bruteforce
2type: leaky
3name: timokoessler/gitlab-bf
4description: "Detect gitlab bruteforce"
5filter: "evt.Meta.log_type in ['gitlab_failed_password', 'gitlab_failed_totp']"
6leakspeed: "20s"
7capacity: 5
8groupby: evt.Meta.source_ip
9blackhole: 1m
10reprocess: true
11labels:
12  service: gitlab
13  behavior: "vcs:bruteforce"
14  classification:
15    - attack.T1110
16  spoofable: 0
17  confidence: 3
18  label: "Gitlab Bruteforce"
19  remediation: true
20---
21# gitlab user enum bruteforce
22type: leaky
23name: timokoessler/gitlab-bf_user-enum
24description: "Detect gitlab user enum bruteforce"
25filter: "evt.Meta.log_type == 'gitlab_failed_password'"
26leakspeed: "40s"
27capacity: 5
28groupby: evt.Meta.source_ip
29distinct: evt.Meta.username
30blackhole: 1m
31reprocess: true
32labels:
33  service: gitlab
34  behavior: "vcs:bruteforce"
35  classification:
36    - attack.T1589
37    - attack.T1110
38  spoofable: 0
39  confidence: 3
40  label: "Gitlab User Enumeration"
41  remediation: true
42

Hub configuration

« gitlab-bf »v0.2 by timokoesslerAttack scenarioremediation:trueservice:gitlabspoofable:0MITRE:T1110confidence:3

« gitlab-bf »
v0.2 by timokoessler
Attack scenarioremediation:trueservice:gitlabspoofable:0MITRE:T1110confidence:3