OpenCanary - NTP Monlist Request
Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.
Sigma rule (View on GitHub)
1title: OpenCanary - NTP Monlist Request
2id: 7cded4b3-f09e-405a-b96f-24248433ba44
3status: experimental
4description: Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.
5references:
6 - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
7 - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
8author: Security Onion Solutions
9date: 2024-03-08
10tags:
11 - attack.impact
12 - attack.t1498
13logsource:
14 category: application
15 product: opencanary
16detection:
17 selection:
18 logtype: 11001
19 condition: selection
20falsepositives:
21 - Unlikely
22level: high
References
-
Configuration Since we have many services, and each service has a few options, we have listed them all for you. Services Configuration We have gone ahead and listed all the services by their config...
Read More -
Modular and decentralised honeypot. Contribute to thinkst/opencanary development by creating an account on GitHub.
Read More
Related rules
- Potential BlackByte Ransomware Activity
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AWS EC2 Disable EBS Encryption
- AWS EFS Fileshare Modified or Deleted