Guacamole Two Users Sharing Session Anomaly
Detects suspicious session with two users present
Sigma rule (View on GitHub)
1title: Guacamole Two Users Sharing Session Anomaly
2id: 1edd77db-0669-4fef-9598-165bda82826d
3status: test
4description: Detects suspicious session with two users present
5references:
6 - https://research.checkpoint.com/2020/apache-guacamole-rce/
7author: Florian Roth (Nextron Systems)
8date: 2020/07/03
9modified: 2021/11/27
10tags:
11 - attack.credential_access
12 - attack.t1212
13logsource:
14 product: linux
15 service: guacamole
16detection:
17 selection:
18 - '(2 users now present)'
19 condition: selection
20falsepositives:
21 - Unknown
22level: high
References
Related rules
- Credentials from Password Stores - Keychain
- Hack Tool User Agent
- Mimikatz Use
- NPPSpy Hacktool Usage
- PowerShell Credential Prompt