saving uncommitted changes in /etc prior to dnf run

crowdsec/hub/collections/crowdsecurity/http-cve.yaml

@@ -22,7 +22,9 @@ scenarios:
   - crowdsecurity/CVE-2022-44877
   - crowdsecurity/CVE-2019-18935
   - crowdsecurity/netgear_rce
+  - crowdsecurity/CVE-2023-22515
 author: crowdsecurity
+description: "Detect CVE exploitation in http logs"
 tags:
   - web
   - exploit

crowdsec/hub/parsers/s02-enrich/crowdsecurity/http-logs.yaml

@@ -30,4 +30,4 @@ nodes:
         - parsed: file_name
           expression: evt.Parsed.file_frag + evt.Parsed.file_ext
         - parsed: static_ressource
-          expression: "Upper(evt.Parsed.file_ext) in ['.JPG', '.CSS', '.JS', '.JPEG', '.PNG', '.SVG', '.MAP', '.ICO', '.OTF', '.GIF', '.MP3', '.MP4', '.WOFF', '.WOFF2', '.TTF', '.OTF', '.EOT', '.WEBP', '.WAV', '.GZ', '.BROTLI', '.BVR', '.TS', '.BMP'] ? 'true' : 'false'"
+          expression: "Upper(evt.Parsed.file_ext) in ['.JPG', '.CSS', '.JS', '.JPEG', '.PNG', '.SVG', '.MAP', '.ICO', '.OTF', '.GIF', '.MP3', '.MP4', '.WOFF', '.WOFF2', '.TTF', '.OTF', '.EOT', '.WEBP', '.WAV', '.GZ', '.BROTLI', '.BVR', '.TS', '.BMP', '.AVIF'] ? 'true' : 'false'"

crowdsec/hub/scenarios/crowdsecurity/CVE-2019-18935.yaml

@@ -9,3 +9,12 @@ blackhole: 2m
 labels:
   type: exploit
   remediation: true
+  classification:
+    - attack.T1595
+    - attack.T1190
+    - cve.CVE-2019-18935
+  spoofable: 0
+  confidence: 3
+  behavior: "http:exploit"
+  label: "Telerik CVE-2019-18935"
+  service: telerik

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-26134.yaml

@@ -8,3 +8,12 @@ groupby: "evt.Meta.source_ip"
 labels:
   type: exploit
   remediation: true
+  classification:
+    - attack.T1595
+    - attack.T1190
+    - cve.CVE-2022-26134
+  spoofable: 0
+  confidence: 3
+  behavior: "http:exploit"
+  service: atlassian-confluence
+  label: "Confluence CVE-2022-26134"

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-35914.yaml

@@ -8,3 +8,12 @@ groupby: "evt.Meta.source_ip"
 labels:
   type: exploit
   remediation: true
+  classification:
+    - attack.T1595
+    - attack.T1190
+    - cve.CVE-2022-35914
+  spoofable: 0
+  confidence: 3
+  behavior: "http:exploit"
+  service: glpi
+  label: "GLPI CVE-2022-35914"

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-37042.yaml

@@ -3,16 +3,24 @@ type: trigger
 name: crowdsecurity/CVE-2022-37042
 description: "Detect CVE-2022-37042 exploits"
 filter: |
-    (
-    Upper(evt.Meta.http_path) contains Upper('/service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1') ||
-    Upper(evt.Meta.http_path) contains Upper('/service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd') 
-    )
-    and evt.Meta.http_status startsWith ('40') and
-    Upper(evt.Meta.http_verb) == 'POST'
-
+  (
+  Upper(evt.Meta.http_path) contains Upper('/service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1') ||
+  Upper(evt.Meta.http_path) contains Upper('/service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd') 
+  )
+  and evt.Meta.http_status startsWith ('40') and
+  Upper(evt.Meta.http_verb) == 'POST'
 
 blackhole: 2m
 groupby: "evt.Meta.source_ip"
 labels:
   type: exploit
   remediation: true
+  classification:
+    - attack.T1595
+    - attack.T1190
+    - cve.CVE-2022-37042
+  spoofable: 0
+  confidence: 3
+  behavior: "http:exploit"
+  label: "ZCS CVE-2022-37042"
+  service: zimbra

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-40684.yaml

@@ -8,4 +8,12 @@ groupby: "evt.Meta.source_ip"
 blackhole: 2m
 labels:
   type: exploit
-  remediation: true
+  remediation: true
+  classification:
+    - attack.T1548
+    - cve.CVE-2022-40684
+  spoofable: 0
+  confidence: 3
+  behavior: "http:exploit"
+  label: "Fortinet CVE-2022-40684"
+  service: fortinet

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-41082.yaml

@@ -3,11 +3,20 @@ type: trigger
 name: crowdsecurity/CVE-2022-41082
 description: "Detect CVE-2022-41082 exploits"
 filter: |
-    Upper(evt.Meta.http_path) contains Upper('/autodiscover/autodiscover.json') &&
-    Upper(evt.Parsed.http_args) contains Upper('powershell')
+  Upper(evt.Meta.http_path) contains Upper('/autodiscover/autodiscover.json') &&
+  Upper(evt.Parsed.http_args) contains Upper('powershell')
 
 blackhole: 1m
 groupby: "evt.Meta.source_ip"
 labels:
   type: exploit
   remediation: true
+  classification:
+    - attack.T1595
+    - attack.T1190
+    - cve.CVE-2022-41082
+  spoofable: 0
+  confidence: 3
+  behavior: "http:exploit"
+  service: exchange
+  label: "Microsoft Exchange CVE-2022-41082"

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-41697.yaml

@@ -2,13 +2,21 @@ type: leaky
 name: crowdsecurity/CVE-2022-41697
 description: "Detect CVE-2022-41697 enumeration"
 filter: |
-    Upper(evt.Meta.http_path) contains Upper('/ghost/api/admin/session') &&
-    Upper(evt.Parsed.verb) == 'POST' &&
-    evt.Meta.http_status == '404'
+  Upper(evt.Meta.http_path) contains Upper('/ghost/api/admin/session') &&
+  Upper(evt.Parsed.verb) == 'POST' &&
+  evt.Meta.http_status == '404'
 leakspeed: "10s"
 capacity: 5
 blackhole: 1m
 groupby: "evt.Meta.source_ip"
 labels:
   type: exploit
-  remediation: true
+  remediation: true
+  classification:
+    - attack.T1589
+    - cve.CVE-2022-41697
+  spoofable: 0
+  confidence: 3
+  behavior: "http:exploit"
+  label: "Ghost CVE-2022-41697"
+  service: ghost

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-42889.yaml

@@ -9,9 +9,18 @@ filter: |
   or
   Upper(PathUnescape(evt.Meta.http_path)) contains Upper('${url:UTF-8:') 
   or
-  Upper(PathUnescape(evt.Meta.http_path)) contains Upper('${dns:address|') 
+  Upper(PathUnescape(evt.Meta.http_path)) contains Upper('${dns:address|')
 blackhole: 1m
 groupby: "evt.Meta.source_ip"
 labels:
   type: exploit
   remediation: true
+  classification:
+    - attack.T1595
+    - attack.T1190
+    - cve.CVE-2022-42889
+  spoofable: 0
+  confidence: 3
+  behavior: "http:exploit"
+  label: "Text4Shell CVE-2022-42889"
+  service: apache

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-44877.yaml

@@ -3,13 +3,22 @@ type: trigger
 name: crowdsecurity/CVE-2022-44877
 description: "Detect CVE-2022-44877 exploits"
 filter: |
-    Lower(evt.Meta.http_path) contains '/index.php' &&
-    Upper(evt.Parsed.verb) == 'POST' &&
-    evt.Meta.http_status == '302' &&
-    Lower(evt.Parsed.http_args) matches 'login=.*[$|%24][\\(|%28].*[\\)|%29]'
+  Lower(evt.Meta.http_path) contains '/index.php' &&
+  Upper(evt.Parsed.verb) == 'POST' &&
+  evt.Meta.http_status == '302' &&
+  Lower(evt.Parsed.http_args) matches 'login=.*[$|%24][\\(|%28].*[\\)|%29]'
 
 blackhole: 1m
 groupby: "evt.Meta.source_ip"
 labels:
   type: exploit
   remediation: true
+  classification:
+    - attack.T1595
+    - attack.T1190
+    - cve.CVE-2022-44877
+  spoofable: 0
+  confidence: 3
+  behavior: "http:exploit"
+  label: "Centos Webpanel CVE-2022-44877"
+  service: centos

crowdsec/hub/scenarios/crowdsecurity/CVE-2022-46169.yaml

@@ -2,10 +2,10 @@ type: leaky
 name: crowdsecurity/CVE-2022-46169-bf
 description: "Detect CVE-2022-46169 brute forcing"
 filter: |
-    Upper(evt.Meta.http_path) contains Upper('/remote_agent.php') &&
-    Upper(evt.Parsed.verb) == 'GET' &&
-    Lower(evt.Parsed.http_args) contains 'host_id' &&
-    Lower(evt.Parsed.http_args) contains 'local_data_ids'
+  Upper(evt.Meta.http_path) contains Upper('/remote_agent.php') &&
+  Upper(evt.Parsed.verb) == 'GET' &&
+  Lower(evt.Parsed.http_args) contains 'host_id' &&
+  Lower(evt.Parsed.http_args) contains 'local_data_ids'
 leakspeed: "10s"
 capacity: 5
 blackhole: 1m
@@ -13,17 +13,34 @@ groupby: "evt.Meta.source_ip"
 labels:
   type: exploit
   remediation: true
+  classification:
+    - attack.T1592
+    - cve.CVE-2022-46169
+  spoofable: 0
+  confidence: 3
+  behavior: "http:bruteforce"
+  label: "Cacti CVE-2022-46169"
+  service: cacti
 ---
 type: trigger
 name: crowdsecurity/CVE-2022-46169-cmd
 description: "Detect CVE-2022-46169 cmd injection"
 filter: |
-    Upper(evt.Meta.http_path) contains Upper('/remote_agent.php') &&
-    Upper(evt.Parsed.verb) == 'GET' &&
-    Lower(evt.Parsed.http_args) contains 'action=polldata' &&
-    Lower(evt.Parsed.http_args) matches 'poller_id=.*(;|%3b)'
+  Upper(evt.Meta.http_path) contains Upper('/remote_agent.php') &&
+  Upper(evt.Parsed.verb) == 'GET' &&
+  Lower(evt.Parsed.http_args) contains 'action=polldata' &&
+  Lower(evt.Parsed.http_args) matches 'poller_id=.*(;|%3b)'
 blackhole: 1m
 groupby: "evt.Meta.source_ip"
 labels:
   type: exploit
-  remediation: true
+  remediation: true
+  classification:
+    - attack.T1595
+    - attack.T1190
+    - cve.CVE-2022-46169
+  spoofable: 0
+  confidence: 3
+  behavior: "http:exploit"
+  label: "Cacti CVE-2022-46169"
+  service: cacti

crowdsec/hub/scenarios/crowdsecurity/CVE-2023-22515.yaml

@@ -0,0 +1,22 @@
+## CVE-2023-22515
+type: trigger
+name: crowdsecurity/CVE-2023-22515
+description: "Detect CVE-2023-22515 exploitation"
+filter: |
+  Lower(evt.Parsed.file_ext) == '.action' &&
+  (Lower(evt.Parsed.file_dir) contains '/setup' || Lower(evt.Parsed.file_frag) == 'server-info') &&
+  evt.Parsed.file_frag != nil
+blackhole: 1m
+groupby: "evt.Meta.source_ip"
+labels:
+  type: exploit
+  remediation: true
+  classification:
+    - attack.T1595
+    - attack.T1190
+    - cve.CVE-2023-22515
+  spoofable: 0
+  confidence: 1
+  behavior: "http:exploit"
+  label: "Confluence CVE-2023-22515"
+  service: confluence

crowdsec/hub/scenarios/crowdsecurity/apache_log4j2_cve-2021-44228.yaml

@@ -19,5 +19,13 @@ data:
 groupby: "evt.Meta.source_ip"
 blackhole: 2m
 labels:
-  type: exploit
+  service: apache
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1595
+    - attack.T1190
+    - cve.CVE-2021-44228
+  behavior: "http:exploit"
+  label: "Log4j CVE-2021-44228"
   remediation: true

crowdsec/hub/scenarios/crowdsecurity/f5-big-ip-cve-2020-5902.yaml

@@ -12,5 +12,13 @@ filter: |
 groupby: "evt.Meta.source_ip"
 blackhole: 2m
 labels:
-  type: exploit
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1190
+    - attack.T1595
+    - cve.CVE-2020-5902
+  behavior: "http:exploit"
+  label: "CVE-2020-5902"
   remediation: true
+  service: f5

crowdsec/hub/scenarios/crowdsecurity/fortinet-cve-2018-13379.yaml

@@ -8,5 +8,13 @@ filter: |
 groupby: "evt.Meta.source_ip"
 blackhole: 2m
 labels:
-  type: exploit
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1190
+    - attack.T1595
+    - cve.CVE-2018-13379
+  behavior: "http:exploit"
+  label: "CVE-2018-13379"
   remediation: true
+  service: fortinet

crowdsec/hub/scenarios/crowdsecurity/grafana-cve-2021-43798.yaml

@@ -10,5 +10,13 @@ filter: |
 groupby: "evt.Meta.source_ip"
 blackhole: 2m
 labels:
-  type: exploit
+  service: grafana
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1190
+    - attack.T1595
+    - cve.CVE-2021-43798
+  behavior: "http:exploit"
+  label: "CVE-2021-43798"
   remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-backdoors-attempts.yaml

@@ -13,6 +13,11 @@ capacity: 1
 leakspeed: 5s
 blackhole: 5m
 labels:
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1595
+  behavior: "http:exploit"
+  label: "scanning for backdoors"
   service: http
-  type: discovery
   remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-bad-user-agent.yaml

@@ -16,5 +16,11 @@ leakspeed: 1m
 groupby: "evt.Meta.source_ip"
 blackhole: 2m
 labels:
-  type: scan
+  confidence: 1
+  spoofable: 0
+  classification:
+    - attack.T1595
+  behavior: "http:scan"
+  label: "detection of bad user-agents"
+  service: http
   remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-crawl-non_statics.yaml

@@ -11,6 +11,11 @@ cache_size: 5
 groupby: "evt.Meta.source_ip + '/' + evt.Parsed.target_fqdn"
 blackhole: 1m
 labels:
- service: http
- type: crawl
- remediation: true
+  confidence: 1
+  spoofable: 0
+  classification:
+    - attack.T1595
+  behavior: "http:crawl"
+  service: http
+  label: "detection of aggressive crawl"
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-cve-2021-41773.yaml

@@ -11,5 +11,13 @@ filter: |
 groupby: "evt.Meta.source_ip"
 blackhole: 2m
 labels:
-  type: scan
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1190
+    - attack.T1595
+    - cve.CVE-2021-41773
+  behavior: "http:exploit"
+  label: "CVE-2021-41773"
+  service: apache
   remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-cve-2021-42013.yaml

@@ -10,5 +10,13 @@ filter: |
 groupby: "evt.Meta.source_ip"
 blackhole: 2m
 labels:
-  type: scan
+  service: apache
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1190
+    - attack.T1595
+    - cve.CVE-2021-42013
+  behavior: "http:exploit"
+  label: "CVE-2021-42013"
   remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-generic-bf.yaml

@@ -9,9 +9,14 @@ capacity: 5
 leakspeed: "10s"
 blackhole: 1m
 labels:
- service: http
- type: bf
- remediation: true
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "http:bruteforce"
+  label: "http bruteforce"
+  service: http
+  remediation: true
 ---
 # Generic 401 Authorization Errors
 type: leaky
@@ -24,9 +29,14 @@ capacity: 5
 leakspeed: "10s"
 blackhole: 1m
 labels:
- service: http
- type: bf
- remediation: true
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "http:bruteforce"
+  label: "http bruteforce"
+  service: http
+  remediation: true
 ---
 # Generic 403 Forbidden (Authorization) Errors
 type: leaky
@@ -39,6 +49,11 @@ capacity: 5
 leakspeed: "10s"
 blackhole: 1m
 labels:
- service: http
- type: bf
- remediation: true
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "http:bruteforce"
+  label: "http bruteforce"
+  service: http
+  remediation: true

crowdsec/hub/scenarios/crowdsecurity/http-open-proxy.yaml

@@ -5,6 +5,12 @@ description: "Detect scan for open proxy"
 filter: "evt.Meta.log_type == 'http_access-log' && evt.Meta.http_status in ['400','405'] && (evt.Parsed.verb == 'CONNECT' || evt.Parsed.request matches '^http[s]?://')"
 blackhole: 2m
 labels:
- service: http
- type: scan
- remediation: true
+  service: http
+  type: scan
+  remediation: true
+  classification:
+    - attack.T1595
+  behavior: "http:scan"
+  label: "HTTP Open Proxy Probing"
+  spoofable: 0
+  confidence: 3

crowdsec/hub/scenarios/crowdsecurity/http-path-traversal-probing.yaml

@@ -15,6 +15,11 @@ reprocess: true
 leakspeed: 10s
 blackhole: 2m
 labels:
- service: http
- type: scan
- remediation: true
+  remediation: true
+  classification:
+    - attack.T1595.002
+  behavior: "http:exploit"
+  label: "HTTP Path Traversal Exploit"
+  service: http
+  spoofable: 0
+  confidence: 3

crowdsec/hub/scenarios/crowdsecurity/http-probing.yaml

@@ -11,6 +11,11 @@ reprocess: true
 leakspeed: "10s"
 blackhole: 5m
 labels:
- service: http
- type: scan
- remediation: true
+  remediation: true
+  classification:
+    - attack.T1595.003
+  behavior: "http:scan"
+  label: "HTTP Probing"
+  spoofable: 0
+  service: http
+  confidence: 1

crowdsec/hub/scenarios/crowdsecurity/http-sensitive-files.yaml

@@ -14,6 +14,11 @@ capacity: 4
 leakspeed: 5s
 blackhole: 5m
 labels:
-  service: http
-  type: discovery
   remediation: true
+  classification:
+    - attack.T1595.003
+  behavior: "http:scan"
+  label: "Access to sensitive files over HTTP"
+  spoofable: 0
+  service: http
+  confidence: 3

crowdsec/hub/scenarios/crowdsecurity/http-sqli-probing.yaml

@@ -15,6 +15,11 @@ blackhole: 5m
 #low false positives approach : we require distinct payloads to avoid false positives
 distinct: evt.Parsed.http_args
 labels:
-  service: http
-  type: sqli_probing
   remediation: true
+  classification:
+    - attack.T1595.002
+  behavior: "http:exploit"
+  label: "SQL Injection Attempt"
+  spoofable: 0
+  service: http
+  confidence: 3

crowdsec/hub/scenarios/crowdsecurity/http-xss-probing.yaml

@@ -15,6 +15,11 @@ blackhole: 5m
 #low false positives approach : we require distinct payloads to avoid false positives
 distinct: evt.Parsed.http_args
 labels:
-  service: http
-  type: xss_probing
   remediation: true
+  classification:
+    - attack.T1595.002
+  behavior: "http:exploit"
+  label: "XSS Attempt"
+  spoofable: 0
+  service: http
+  confidence: 3

crowdsec/hub/scenarios/crowdsecurity/jira_cve-2021-26086.yaml

@@ -12,5 +12,13 @@ data:
 groupby: "evt.Meta.source_ip"
 blackhole: 2m
 labels:
-  type: exploit
   remediation: true
+  classification:
+    - attack.T1595.001
+    - attack.T1190
+    - cve.CVE-2021-26086
+  behavior: "http:exploit"
+  label: "Jira CVE-2021-26086 exploitation"
+  spoofable: 0
+  service: jira
+  confidence: 3

crowdsec/hub/scenarios/crowdsecurity/mysql-bf.yaml

@@ -9,6 +9,11 @@ capacity: 5
 groupby: evt.Meta.source_ip
 blackhole: 5m
 labels:
- service: mysql
- type: bruteforce
- remediation: true
+  remediation: true
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "database:bruteforce"
+  label: "MySQL Bruteforce"
+  service: mysql

crowdsec/hub/scenarios/crowdsecurity/netgear_rce.yaml

@@ -6,8 +6,15 @@ filter: |
   evt.Meta.log_type in ['http_access-log', 'http_error-log'] && Lower(QueryUnescape(evt.Meta.http_path)) startsWith Lower('/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=')
 groupby: "evt.Meta.source_ip"
 blackhole: 2m
-references: 
+references:
   - "https://www.exploit-db.com/exploits/25978"
 labels:
-  type: exploit
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1595
+    - attack.T1190
+  behavior: "http:exploit"
+  label: "Netgear RCE"
+  service: netgear
   remediation: true

crowdsec/hub/scenarios/crowdsecurity/nginx-req-limit-exceeded.yaml

@@ -8,6 +8,11 @@ capacity: 5
 groupby: evt.Meta.source_ip
 blackhole: 5m
 labels:
- service: nginx
- type: bruteforce
- remediation: true
+  remediation: true
+  confidence: 2
+  spoofable: 2
+  classification:
+    - attack.T1498
+  behavior: "http:dos"
+  label: "Nginx request limit exceeded"
+  service: http

crowdsec/hub/scenarios/crowdsecurity/pulse-secure-sslvpn-cve-2019-11510.yaml

@@ -10,5 +10,12 @@ filter: |
 groupby: "evt.Meta.source_ip"
 blackhole: 2m
 labels:
-  type: exploit
   remediation: true
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1190
+    - cve.CVE-2019-11510
+  behavior: "http:exploit"
+  label: "Pulse Secure CVE-2019-11510"
+  service: pulse-secure

crowdsec/hub/scenarios/crowdsecurity/spring4shell_cve-2022-22965.yaml

@@ -8,5 +8,12 @@ filter: |
 groupby: "evt.Meta.source_ip"
 blackhole: 2m
 labels:
-  type: exploit
   remediation: true
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1190
+    - cve.CVE-2022-22965
+  behavior: "http:exploit"
+  label: "Spring4shell CVE-2022-22965"
+  service: spring

crowdsec/hub/scenarios/crowdsecurity/ssh-bf.yaml

@@ -11,9 +11,14 @@ groupby: evt.Meta.source_ip
 blackhole: 1m
 reprocess: true
 labels:
- service: ssh
- type: bruteforce
- remediation: true
+  service: ssh
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  label: "SSH Bruteforce"
+  behavior: "ssh:bruteforce"
+  remediation: true
 ---
 # ssh user-enum
 type: leaky
@@ -26,7 +31,11 @@ leakspeed: 10s
 capacity: 5
 blackhole: 1m
 labels:
- service: ssh
- type: bruteforce
- remediation: true
-
+  service: ssh
+  remediation: true
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1589
+  behavior: "ssh:bruteforce"
+  label: "SSH Bruteforce"

crowdsec/hub/scenarios/crowdsecurity/ssh-slow-bf.yaml

@@ -11,9 +11,14 @@ groupby: evt.Meta.source_ip
 blackhole: 1m
 reprocess: true
 labels:
- service: ssh
- type: bruteforce
- remediation: true
+  service: ssh
+  remediation: true
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "ssh:bruteforce"
+  label: "SSH Bruteforce"
 ---
 # ssh user-enum
 type: leaky
@@ -26,7 +31,11 @@ leakspeed: 60s
 capacity: 10
 blackhole: 1m
 labels:
- service: ssh
- type: bruteforce
- remediation: true
-
+  service: ssh
+  remediation: true
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "ssh:bruteforce"
+  label: "SSH Bruteforce"

crowdsec/hub/scenarios/crowdsecurity/thinkphp-cve-2018-20062.yaml

@@ -12,5 +12,13 @@ data:
 groupby: "evt.Meta.source_ip"
 blackhole: 2m
 labels:
-  type: exploit
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1190
+    - attack.T1595
+    - cve.CVE-2018-20062
+  behavior: "http:exploit"
+  label: "ThinkPHP CVE-2018-20062"
   remediation: true
+  service: thinkphp

crowdsec/hub/scenarios/crowdsecurity/vmware-cve-2022-22954.yaml

@@ -7,5 +7,13 @@ filter: |
 groupby: "evt.Meta.source_ip"
 blackhole: 2m
 labels:
-  type: exploit
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1190
+    - attack.T1595
+    - cve.CVE-2022-22954
+  behavior: "vm-management:exploit"
+  label: "VMWARE CVE-2022-22954"
   remediation: true
+  service: vmware

crowdsec/hub/scenarios/crowdsecurity/vmware-vcenter-vmsa-2021-0027.yaml

@@ -7,5 +7,13 @@ filter: |
 groupby: "evt.Meta.source_ip"
 blackhole: 2m
 labels:
-  type: exploit
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1190
+    - attack.T1595
+    - cve.CVE-2021-0027
+  behavior: "vm-management:exploit"
+  label: "VMWARE VCenter VMSA CVE-2021-0027"
   remediation: true
+  service: vmware

crowdsec/hub/scenarios/ltsich/http-w00tw00t.yaml

@@ -7,6 +7,11 @@ filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name contains
 groupby: evt.Meta.source_ip
 blackhole: 5m
 labels:
- service: http
- type: scan
- remediation: true
+  service: http
+  classification:
+    - attack.T1595
+  spoofable: 0
+  confidence: 3
+  behavior: "http:scan"
+  label: "w00t w00t Scanner"
+  remediation: true

crowdsec/scenarios/CVE-2023-22515.yaml

@@ -0,0 +1 @@
+/etc/crowdsec/hub/scenarios/crowdsecurity/CVE-2023-22515.yaml