Linux.Detection.BruteForce :: Velociraptor

Edit this page

Linux.Detection.BruteForce

Linux detection brute force module. This code is based on https://github.com/RCarras/linforce/blob/main/linforce.sh

This module uses btmp/wtmp files to search for possible brute force attacks comparing:

Wtmp (successful attempts) and btmp (failed attempts) Logs.
Time interval between failed login attempts, and against successful logins.

Type of attacks:

Basic Brute Force Attack: multiple consecutive attempts from an IP.
Password Spraying: multiple consecutive attempts from different users with the same password.
Dynamic IP Attack: multiple consecutive attempts from different IPs.

Creators:

Rafael Carrasco: https://www.linkedin.com/in/rafael-carrasco-vilaplana-3199a492
David Rosado: https://www.linkedin.com/in/david-rosado-soria-4416b8230


name: Linux.Detection.BruteForce
description: | 

   Linux detection brute force module.
   This code is based on https://github.com/RCarras/linforce/blob/main/linforce.sh
      
   This module uses btmp/wtmp files to search for possible brute force attacks comparing:
   
   * Wtmp (successful attempts) and btmp (failed attempts) Logs.
   * Time interval between failed login attempts, and against successful logins.
   
   Type of attacks:
   
   * Basic Brute Force Attack: multiple consecutive attempts from an IP.
   * Password Spraying: multiple consecutive attempts from different users with the same password.  
   * Dynamic IP Attack: multiple consecutive attempts from different IPs.

   Creators:
  
   * Rafael Carrasco: https://www.linkedin.com/in/rafael-carrasco-vilaplana-3199a492
   * David Rosado: https://www.linkedin.com/in/david-rosado-soria-4416b8230

type: client

parameters: 
   - name: "brutevar"
     description: "Number of attempts to consider as brute force"
     default: "80"
   - name: "intervalvar"
     description: "Time interval between attempts to be considered as consecutive"
     default: "45"
   - name: "min_timestamp"
     description: "Initial timestamp for the analysis in the format YYYYmmddHHMMSS"
     default: "20220901000000" 
   - name: "max_timestamp"
     description: "Maximum timestamp for the analysis in the format YYYYmmddHHMMSS"
     default: "20301231000000"
     


tools:
   - name: linforce
     url: https://raw.githubusercontent.com/RCarras/linforce/main/linforce.sh
     expected_hash: 998f65cc9f9eef746c38a165e86317e502a0915161df824ad935613e0ad74b0d
     
sources:
   - name: btmp.logs
     query: |
      -- Download tool
      LET LinforceTool <= SELECT FullPath FROM Artifact.Generic.Utils.FetchBinary(ToolName="linforce", IsExecutable=TRUE)
      
      -- Delete output after the module end
      LET outputPath <= tempdir(remove_last=TRUE)
      
      -- Execute the script as root and capture the output
      LET _ <= SELECT * FROM execve(argv=["sudo", "/bin/bash", LinforceTool.FullPath[0], "-b", brutevar, "-t", intervalvar, "-i", min_timestamp, "-m", max_timestamp, "-o", outputPath])

      -- Parse output     
      SELECT * 
      FROM split_records(filenames=outputPath+"/btmp.logs", first_row_is_headers=true)
       
   - name: wtmp.logs
     query: |
       SELECT *
       FROM split_records(filenames=outputPath+"/wtmp.logs", first_row_is_headers=true)
       
   - name: hits_login
     query: |
       SELECT * 
       FROM parse_lines(filename=outputPath+"/hits_login")
         
   - name: brute_force_attempts.log
     query: |
       SELECT * 
       FROM parse_lines(filename=outputPath+"/brute_force_attempts.log")
      
   - name: red_zone_attempts.log
     query: |
       SELECT * 
       FROM parse_lines(filename=outputPath+"/red_zone_attempts.log")