Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowstable

Cleartext Protocol Usage

Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Alexandr Yampolskyi, SOC Prime, Tim SheltonCreated Tue Mar 26Updated Mon Oct 10d7fb8f0e-bd5f-45c2-b467-19571c490d7enetwork
Log Source
Firewall
CategoryFirewall← raw: firewall
Detection Logic
Detection Logic3 selectors
detection:
    selection:
        dst_port:
            - 8080
            - 21
            - 80
            - 23
            - 50000
            - 1521
            - 27017
            - 3306
            - 1433
            - 11211
            - 15672
            - 5900
            - 5901
            - 5902
            - 5903
            - 5904
    selection_allow1:
        action:
            - forward
            - accept
            - 2
    selection_allow2:
        blocked: "false" # not all fws set action value, but are set to mark as blocked or allowed or not
    condition: selection and 1 of selection_allow*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
cisecurity.org
2
Resolving title…
pcisecuritystandards.org
3
Resolving title…
nvlpubs.nist.gov
MITRE ATT&CK
Rule Metadata
Rule ID
d7fb8f0e-bd5f-45c2-b467-19571c490d7e
Status
stable
Level
low
Type
Detection
Created
Tue Mar 26
Modified
Mon Oct 10
Author
Alexandr Yampolskyi, SOC Prime, Tim Shelton
Path
rules/network/firewall/net_firewall_cleartext_protocols.yml
Raw Tags
attack.credential-access
View on GitHub