Detectionlowtest

Cisco LDP Authentication Failures

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Tim BrownCreated Mon Jan 0950e606bf-04ce-4ca7-9d54-3449494bbd4bnetwork

Log Source

Ciscoldp

ProductCisco← raw: cisco

Serviceldp← raw: ldp

Definition

Requirements: cisco ldp logs need to be enabled and ingested

Detection Logic

detection:
    selection_protocol:
        - 'LDP'
    selection_keywords:
        - 'SOCKET_TCP_PACKET_MD5_AUTHEN_FAIL'
        - 'TCPMD5AuthenFail'
    condition: selection_protocol and selection_keywords

False Positives

Unlikely. Except due to misconfigurations

References

Resolving title…

blackhat.com

MITRE ATT&CK

Tactics

TA0001 · Initial Access TA0003 · Persistence TA0004 · Privilege Escalation TA0005 · Defense Evasion TA0006 · Credential Access TA0009 · Collection

Techniques

T1078 · Valid Accounts T1110 · Brute Force T1557 · Adversary-in-the-Middle

Rule Metadata

Rule ID

50e606bf-04ce-4ca7-9d54-3449494bbd4b

Status

test

Level

low

Type

Detection

Created

Mon Jan 09

Author

Tim Brown

Path

rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml

Raw Tags

attack.initial-accessattack.persistenceattack.privilege-escalationattack.defense-evasionattack.credential-accessattack.collectionattack.t1078attack.t1110attack.t1557

View on GitHub