Guacamole Two Users Sharing Session Anomaly

 1title: Guacamole Two Users Sharing Session Anomaly
 2id: 1edd77db-0669-4fef-9598-165bda82826d
 3status: test
 4description: Detects suspicious session with two users present
 5references:
 6    - https://research.checkpoint.com/2020/apache-guacamole-rce/
 7author: Florian Roth (Nextron Systems)
 8date: 2020-07-03
 9modified: 2021-11-27
10tags:
11    - attack.credential-access
12    - attack.t1212
13logsource:
14    product: linux
15    service: guacamole
16detection:
17    selection:
18        - '(2 users now present)'
19    condition: selection
20falsepositives:
21    - Unknown
22level: high

References

• Would you like some RCE with your Guacamole? - Check Point Research

  

  Research by: Eyal Itkin Overview In many companies, the daily routine involves coming to the office each day to work on your company computer, safely inside the corporate network. Once in a while, a worker may need special offsite access and will connect to the company’s network remotely, using one of several available tools. However, since […]

  
  Read More

Related rules

• Audit CVE Event
• GALLIUM IOCs
• Kerberos Manipulation
• Suspicious NTLM Authentication on the Printer Spooler Service
• AADInternals PowerShell Cmdlets Execution - ProccessCreation