Cleartext Protocol Usage

calendar Jan 29, 2024 · attack.credential_access  ·
Share on: linkedin copy

Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.

Sigma rule (View on GitHub)

 1title: Cleartext Protocol Usage
 2id: d7fb8f0e-bd5f-45c2-b467-19571c490d7e
 3status: stable
 4description: |
 5    Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.
 6    Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.    
 7references:
 8    - https://www.cisecurity.org/controls/cis-controls-list/
 9    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
10    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
11author: Alexandr Yampolskyi, SOC Prime, Tim Shelton
12date: 2019/03/26
13modified: 2022/10/10
14tags:
15    - attack.credential_access
16    # - CSC4
17    # - CSC4.5
18    # - CSC14
19    # - CSC14.4
20    # - CSC16
21    # - CSC16.5
22    # - NIST CSF 1.1 PR.AT-2
23    # - NIST CSF 1.1 PR.MA-2
24    # - NIST CSF 1.1 PR.PT-3
25    # - NIST CSF 1.1 PR.AC-1
26    # - NIST CSF 1.1 PR.AC-4
27    # - NIST CSF 1.1 PR.AC-5
28    # - NIST CSF 1.1 PR.AC-6
29    # - NIST CSF 1.1 PR.AC-7
30    # - NIST CSF 1.1 PR.DS-1
31    # - NIST CSF 1.1 PR.DS-2
32    # - ISO 27002-2013 A.9.2.1
33    # - ISO 27002-2013 A.9.2.2
34    # - ISO 27002-2013 A.9.2.3
35    # - ISO 27002-2013 A.9.2.4
36    # - ISO 27002-2013 A.9.2.5
37    # - ISO 27002-2013 A.9.2.6
38    # - ISO 27002-2013 A.9.3.1
39    # - ISO 27002-2013 A.9.4.1
40    # - ISO 27002-2013 A.9.4.2
41    # - ISO 27002-2013 A.9.4.3
42    # - ISO 27002-2013 A.9.4.4
43    # - ISO 27002-2013 A.8.3.1
44    # - ISO 27002-2013 A.9.1.1
45    # - ISO 27002-2013 A.10.1.1
46    # - PCI DSS 3.2 2.1
47    # - PCI DSS 3.2 8.1
48    # - PCI DSS 3.2 8.2
49    # - PCI DSS 3.2 8.3
50    # - PCI DSS 3.2 8.7
51    # - PCI DSS 3.2 8.8
52    # - PCI DSS 3.2 1.3
53    # - PCI DSS 3.2 1.4
54    # - PCI DSS 3.2 4.3
55    # - PCI DSS 3.2 7.1
56    # - PCI DSS 3.2 7.2
57    # - PCI DSS 3.2 7.3
58logsource:
59    category: firewall
60detection:
61    selection:
62        dst_port:
63            - 8080
64            - 21
65            - 80
66            - 23
67            - 50000
68            - 1521
69            - 27017
70            - 3306
71            - 1433
72            - 11211
73            - 15672
74            - 5900
75            - 5901
76            - 5902
77            - 5903
78            - 5904
79    selection_allow1:
80        action:
81            - forward
82            - accept
83            - 2
84    selection_allow2:
85        blocked: "false" # not all fws set action value, but are set to mark as blocked or allowed or not
86    condition: selection and 1 of selection_allow*
87falsepositives:
88    - Unknown
89level: low

References

  • The 18 CIS Controls

    The 18 CIS Controls version 8 combines and consolidates the CIS Controls by activities, rather than by who manages the devices.


    Read More

  • Document Library

    A global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments.


    Read More

  • %PDF-1.6 %âãÏÓ 3102 0 obj endobj 3108 0 obj /Filter/FlateDecode/ID[ ]/Index[3102 17]/Info 3101 0 R/Length 51/Prev 1061976/Root 3103 0 R/Size 3119/Type/XRef/W[1 2 1]>>stream hÞbbd``b`~$÷‚;÷9ˆ(...


    Read More

Related rules

to-top