Guacamole Two Users Sharing Session Anomaly
Detects suspicious session with two users present
Sigma rule (View on GitHub)
1title: Guacamole Two Users Sharing Session Anomaly
2id: 1edd77db-0669-4fef-9598-165bda82826d
3status: test
4description: Detects suspicious session with two users present
5references:
6 - https://research.checkpoint.com/2020/apache-guacamole-rce/
7author: Florian Roth (Nextron Systems)
8date: 2020-07-03
9modified: 2021-11-27
10tags:
11 - attack.credential-access
12 - attack.t1212
13logsource:
14 product: linux
15 service: guacamole
16detection:
17 selection:
18 - '(2 users now present)'
19 condition: selection
20falsepositives:
21 - Unknown
22level: high
References
Related rules
- Audit CVE Event
- Kerberos Manipulation
- Suspicious NTLM Authentication on the Printer Spooler Service
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript