Cleartext Protocol Usage
Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.
Sigma rule (View on GitHub)
1title: Cleartext Protocol Usage
2id: d7fb8f0e-bd5f-45c2-b467-19571c490d7e
3status: stable
4description: |
5 Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.
6 Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.
7references:
8 - https://www.cisecurity.org/controls/cis-controls-list/
9 - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
10 - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
11author: Alexandr Yampolskyi, SOC Prime, Tim Shelton
12date: 2019-03-26
13modified: 2022-10-10
14tags:
15 - attack.credential-access
16 # - CSC4
17 # - CSC4.5
18 # - CSC14
19 # - CSC14.4
20 # - CSC16
21 # - CSC16.5
22 # - NIST CSF 1.1 PR.AT-2
23 # - NIST CSF 1.1 PR.MA-2
24 # - NIST CSF 1.1 PR.PT-3
25 # - NIST CSF 1.1 PR.AC-1
26 # - NIST CSF 1.1 PR.AC-4
27 # - NIST CSF 1.1 PR.AC-5
28 # - NIST CSF 1.1 PR.AC-6
29 # - NIST CSF 1.1 PR.AC-7
30 # - NIST CSF 1.1 PR.DS-1
31 # - NIST CSF 1.1 PR.DS-2
32 # - ISO 27002-2013 A.9.2.1
33 # - ISO 27002-2013 A.9.2.2
34 # - ISO 27002-2013 A.9.2.3
35 # - ISO 27002-2013 A.9.2.4
36 # - ISO 27002-2013 A.9.2.5
37 # - ISO 27002-2013 A.9.2.6
38 # - ISO 27002-2013 A.9.3.1
39 # - ISO 27002-2013 A.9.4.1
40 # - ISO 27002-2013 A.9.4.2
41 # - ISO 27002-2013 A.9.4.3
42 # - ISO 27002-2013 A.9.4.4
43 # - ISO 27002-2013 A.8.3.1
44 # - ISO 27002-2013 A.9.1.1
45 # - ISO 27002-2013 A.10.1.1
46 # - PCI DSS 3.2 2.1
47 # - PCI DSS 3.2 8.1
48 # - PCI DSS 3.2 8.2
49 # - PCI DSS 3.2 8.3
50 # - PCI DSS 3.2 8.7
51 # - PCI DSS 3.2 8.8
52 # - PCI DSS 3.2 1.3
53 # - PCI DSS 3.2 1.4
54 # - PCI DSS 3.2 4.3
55 # - PCI DSS 3.2 7.1
56 # - PCI DSS 3.2 7.2
57 # - PCI DSS 3.2 7.3
58logsource:
59 category: firewall
60detection:
61 selection:
62 dst_port:
63 - 8080
64 - 21
65 - 80
66 - 23
67 - 50000
68 - 1521
69 - 27017
70 - 3306
71 - 1433
72 - 11211
73 - 15672
74 - 5900
75 - 5901
76 - 5902
77 - 5903
78 - 5904
79 selection_allow1:
80 action:
81 - forward
82 - accept
83 - 2
84 selection_allow2:
85 blocked: "false" # not all fws set action value, but are set to mark as blocked or allowed or not
86 condition: selection and 1 of selection_allow*
87falsepositives:
88 - Unknown
89level: low
References
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- ADCS Certificate Template Configuration Vulnerability
- ADCS Certificate Template Configuration Vulnerability with Risky EKU
- APT31 Judgement Panda Activity