Cleartext Protocol Usage Via Netflow

Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.

Sigma rule (View on GitHub)

 1title: Cleartext Protocol Usage Via Netflow
 2id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f
 3status: stable
 4description: |
 5  Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels
 6  Ensure that an encryption is used for all sensitive information in transit.
 7  Ensure that an encrypted channels is used for all administrative account access.  
 8references:
 9    - https://www.cisecurity.org/controls/cis-controls-list/
10    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
11    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
12author: Alexandr Yampolskyi, SOC Prime
13date: 2019-03-26
14modified: 2022-11-18
15tags:
16    - attack.credential-access
17    # - CSC4
18    # - CSC4.5
19    # - CSC14
20    # - CSC14.4
21    # - CSC16
22    # - CSC16.5
23    # - NIST CSF 1.1 PR.AT-2
24    # - NIST CSF 1.1 PR.MA-2
25    # - NIST CSF 1.1 PR.PT-3
26    # - NIST CSF 1.1 PR.AC-1
27    # - NIST CSF 1.1 PR.AC-4
28    # - NIST CSF 1.1 PR.AC-5
29    # - NIST CSF 1.1 PR.AC-6
30    # - NIST CSF 1.1 PR.AC-7
31    # - NIST CSF 1.1 PR.DS-1
32    # - NIST CSF 1.1 PR.DS-2
33    # - ISO 27002-2013 A.9.2.1
34    # - ISO 27002-2013 A.9.2.2
35    # - ISO 27002-2013 A.9.2.3
36    # - ISO 27002-2013 A.9.2.4
37    # - ISO 27002-2013 A.9.2.5
38    # - ISO 27002-2013 A.9.2.6
39    # - ISO 27002-2013 A.9.3.1
40    # - ISO 27002-2013 A.9.4.1
41    # - ISO 27002-2013 A.9.4.2
42    # - ISO 27002-2013 A.9.4.3
43    # - ISO 27002-2013 A.9.4.4
44    # - ISO 27002-2013 A.8.3.1
45    # - ISO 27002-2013 A.9.1.1
46    # - ISO 27002-2013 A.10.1.1
47    # - PCI DSS 3.2 2.1
48    # - PCI DSS 3.2 8.1
49    # - PCI DSS 3.2 8.2
50    # - PCI DSS 3.2 8.3
51    # - PCI DSS 3.2 8.7
52    # - PCI DSS 3.2 8.8
53    # - PCI DSS 3.2 1.3
54    # - PCI DSS 3.2 1.4
55    # - PCI DSS 3.2 4.3
56    # - PCI DSS 3.2 7.1
57    # - PCI DSS 3.2 7.2
58    # - PCI DSS 3.2 7.3
59logsource:
60    service: netflow
61detection:
62    selection:
63        destination.port:
64            - 8080
65            - 21
66            - 80
67            - 23
68            - 50000
69            - 1521
70            - 27017
71            - 1433
72            - 11211
73            - 3306
74            - 15672
75            - 5900
76            - 5901
77            - 5902
78            - 5903
79            - 5904
80    condition: selection
81falsepositives:
82    - Unknown
83level: low

References

Related rules

to-top