uptime-kuma-bf Configuration

« uptime-kuma-bf »
v0.2 by timokoessler
Attack scenarioremediation:trueservice:uptime-kumaspoofable:0MITRE:T1110confidence:3

Detect Uptime Kuma bruteforce

Installation

cscli scenarios install timokoessler/uptime-kuma-bf

Description

Detect failed Uptime Kuma authentications:

leakspeed of 15s, capacity of 5 on source ip
leakspeed of 30s, capacity of 5 on source ip and unique distinct users

YAML Configuration

1# Uptime Kuma bruteforce
2type: leaky
3name: timokoessler/uptime-kuma-bf
4description: "Detect Uptime Kuma bruteforce"
5filter: "evt.Meta.log_type in ['uptime_kuma_failed_password', 'uptime_kuma_failed_totp']"
6leakspeed: "15s"
7capacity: 5
8groupby: evt.Meta.source_ip
9blackhole: 1m
10reprocess: true
11labels:
12  service: uptime-kuma
13  classification:
14    - attack.T1110
15  behavior: "http:bruteforce"
16  label: "Uptime Kuma Bruteforce"
17  spoofable: 0
18  confidence: 3
19  remediation: true
20---
21# Uptime Kuma user enum bruteforce
22type: leaky
23name: timokoessler/uptime-kuma-bf_user-enum
24description: "Detect Uptime Kuma user enum bruteforce"
25filter: "evt.Meta.log_type in ['uptime_kuma_failed_password', 'uptime_kuma_failed_totp']"
26leakspeed: "30s"
27capacity: 5
28groupby: evt.Meta.source_ip
29distinct: evt.Meta.username
30blackhole: 1m
31reprocess: true
32labels:
33  service: uptime-kuma
34  classification:
35    - attack.T1589
36    - attack.T1110
37  behavior: "http:bruteforce"
38  label: "Uptime Kuma User Enumeration"
39  spoofable: 0
40  confidence: 3
41  remediation: true
42

Hub configuration

« uptime-kuma-bf »v0.2 by timokoesslerAttack scenarioremediation:trueservice:uptime-kumaspoofable:0MITRE:T1110confidence:3

« uptime-kuma-bf »
v0.2 by timokoessler
Attack scenarioremediation:trueservice:uptime-kumaspoofable:0MITRE:T1110confidence:3