Guacamole Two Users Sharing Session Anomaly

Detects suspicious session with two users present

Sigma rule (View on GitHub)

 1title: Guacamole Two Users Sharing Session Anomaly
 2id: 1edd77db-0669-4fef-9598-165bda82826d
 3status: test
 4description: Detects suspicious session with two users present
 5references:
 6    - https://research.checkpoint.com/2020/apache-guacamole-rce/
 7author: Florian Roth (Nextron Systems)
 8date: 2020/07/03
 9modified: 2021/11/27
10tags:
11    - attack.credential_access
12    - attack.t1212
13logsource:
14    product: linux
15    service: guacamole
16detection:
17    selection:
18        - '(2 users now present)'
19    condition: selection
20falsepositives:
21    - Unknown
22level: high

References

Related rules

to-top