diff --git a/.index.json b/.index.json index 666c023fb09..00e71b00f9a 100644 --- a/.index.json +++ b/.index.json @@ -2917,6 +2917,27 @@ "MariuszKociubinski/bitwarden-bf" ] }, + "PlagueDoctor/audiobookshelf": { + "path": "collections/PlagueDoctor/audiobookshelf.yaml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "8b710f122d03ec1c714045c90bc76df4b23817d7ff5a55f364f6f3dc79ed021f", + "deprecated": false + } + }, + "long_description": "IyBEZXNjcmlwdGlvbgoKQSBjb2xsZWN0aW9uIHRvIGRlZmVuZCBbQXVkaW9ib29rc2hlbGYgU2VsZiBIb3N0ZWRdKGh0dHBzOi8vZ2l0aHViLmNvbS9hZHZwbHlyL2F1ZGlvYm9va3NoZWxmKQpkZXBsb3ltZW50cyBhZ2FpbnN0IGNvbW1vbiBhdHRhY2tzOgoKLSBBdWRpb2Jvb2tzaGVsZiBwYXJzZXIKLSBBdWRpb2Jvb2tzaGVsZiBicnV0ZWZvcmNlIGRldGVjdGlvbgoKIyMgQWNxdWlzaXRpb24gdGVtcGxhdGUKCkV4YW1wbGUgYWNxdWlzaXRpb24gZm9yIHRoaXMgY29sbGVjdGlvbjoKCmBgYHlhbWwKLS0tCmZpbGVuYW1lczoKICAtIC92YXIvbG9nL2F1ZGlvYm9va3NoZWxmLyoudHh0CmxhYmVsczoKICB0eXBlOiBhdWRpb2Jvb2tzaGVsZgpgYGAK", + "content": "cGFyc2VyczoKICAgIC0gUGxhZ3VlRG9jdG9yL2F1ZGlvYm9va3NoZWxmLWxvZ3MKc2NlbmFyaW9zOgogICAgLSBQbGFndWVEb2N0b3IvYXVkaW9ib29rc2hlbGYtYmYKZGVzY3JpcHRpb246ICJBdWRpb2Jvb2tzaGVsZjogcGFyc2VyIGFuZCBicnV0ZS1mb3JjZSBkZXRlY3Rpb24iCmF1dGhvcjogUGxhZ3VlRG9jdG9yCnRhZ3M6CiAgICAtIGxpbnV4CiAgICAtIGJydXRlLWZvcmNlCiAgICAtIGF1ZGlvYm9va3NoZWxmCg==", + "description": "Audiobookshelf: parser and brute-force detection", + "author": "PlagueDoctor", + "labels": null, + "parsers": [ + "PlagueDoctor/audiobookshelf-logs" + ], + "scenarios": [ + "PlagueDoctor/audiobookshelf-bf" + ] + }, "ZoeyVid/npmplus": { "path": "collections/ZoeyVid/npmplus.yaml", "version": "0.3", @@ -6528,6 +6549,22 @@ "author": "MariuszKociubinski", "labels": null }, + "PlagueDoctor/audiobookshelf-logs": { + "path": "parsers/s01-parse/PlagueDoctor/audiobookshelf-logs.yaml", + "stage": "s01-parse", + "version": "0.1", + "versions": { + "0.1": { + "digest": "6b086296359e15379dcfde0ebd430101088f8225601666959f03f93e9baf0442", + "deprecated": false + } + }, + "long_description": "IyBEZXNjcmlwdGlvbgoKQSBwYXJzZXIgdGhhdCB3aWxsIHNlYXJjaCBmb3IgdW5hdXRob3JpemVkIGFjY2VzcyB0byBBdWRpb2Jvb2tzaGVsZi4KCiMjIEFjcXVpc2l0aW9uIHRlbXBsYXRlCgpFeGFtcGxlIGFjcXVpc2l0aW9uIGZvciB0aGlzIGNvbGxlY3Rpb246CgpgYGB5YW1sCi0tLQpmaWxlbmFtZXM6CiAgLSAvdmFyL2xvZy9hdWRpb2Jvb2tzaGVsZi8qLnR4dApsYWJlbHM6CiAgdHlwZTogYXVkaW9ib29rc2hlbGYKYGBgCg==", + "content": "b25zdWNjZXNzOiBuZXh0X3N0YWdlCiNkZWJ1ZzogdHJ1ZQpmaWx0ZXI6ICJVcHBlcihldnQuUGFyc2VkLnByb2dyYW0pID09ICdBVURJT0JPT0tTSEVMRiciCm5hbWU6IFBsYWd1ZURvY3Rvci9hdWRpb2Jvb2tzaGVsZi1sb2dzCmRlc2NyaXB0aW9uOiAiUGFyc2UgQXVkaW9ib29rc2hlbGYgbG9ncyIKcGF0dGVybl9zeW50YXg6CiAgICBBQlNfRkFJTEVEX0FVVEg6ICdcW0F1dGhcXSBGYWlsZWQgbG9naW4gYXR0ZW1wdCBmb3IgdXNlcm5hbWUgXFw/IiV7VVNFUk5BTUU6dXNlcm5hbWV9XFw/IiBmcm9tIGlwICV7SVA6c291cmNlX2lwfSBcKCV7REFUQTpyZWFzb259XCknCm5vZGVzOgogICAgLSBncm9rOgogICAgICAgIHBhdHRlcm46ICdcWyV7VElNRVNUQU1QX0lTTzg2MDE6dGltZXN0YW1wfVxdIEVSUk9SOiAle0FCU19GQUlMRURfQVVUSH0nCiAgICAgICAgYXBwbHlfb246IG1lc3NhZ2UKICAgICAgc3RhdGljczoKICAgICAgICAtIG1ldGE6IGxvZ190eXBlCiAgICAgICAgICB2YWx1ZTogYWJzX2ZhaWxlZF9hdXRoCiAgICAtIGZpbHRlcjogJ1VubWFyc2hhbEpTT04oZXZ0LlBhcnNlZC5tZXNzYWdlLCBldnQuVW5tYXJzaGFsZWQsICJhYnMiKSBpbiBbIiIsIG5pbF0nCiAgICAgIGdyb2s6CiAgICAgICAgcGF0dGVybjogIiV7QUJTX0ZBSUxFRF9BVVRIfSIKICAgICAgICBleHByZXNzaW9uOiBldnQuVW5tYXJzaGFsZWQuYWJzLm1lc3NhZ2UKICAgICAgICBzdGF0aWNzOgogICAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgICB2YWx1ZTogYWJzX2ZhaWxlZF9hdXRoCnN0YXRpY3M6CiAgICAtIG1ldGE6IHNlcnZpY2UKICAgICAgdmFsdWU6IGF1ZGlvYm9va3NoZWxmCiAgICAtIG1ldGE6IHNvdXJjZV9pcAogICAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC5zb3VyY2VfaXAiCiAgICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgICAgZXhwcmVzc2lvbjogJ2V2dC5QYXJzZWQudGltZXN0YW1wICE9ICIiID8gZXZ0LlBhcnNlZC50aW1lc3RhbXAgOiBldnQuVW5tYXJzaGFsZWQuYWJzLnRpbWVzdGFtcCcKICAgICMjIFdlIGNoZWNrIGlmIHRoZSBwYXJzZXIgcGFyc2VkIHRoZSB0aW1lc3RhbXAgb3IgaWYgaXQgd2l0aGluIHRoZSBqc29uIG91dHB1dAogICAgLSBtZXRhOiB1c2VybmFtZQogICAgICBleHByZXNzaW9uOiAiZXZ0LlBhcnNlZC51c2VybmFtZSIK", + "description": "Parse Audiobookshelf logs", + "author": "PlagueDoctor", + "labels": null + }, "Zaulao/aws-alb": { "path": "parsers/s01-parse/Zaulao/aws-alb.yaml", "stage": "s01-parse", @@ -10041,6 +10078,31 @@ "spoofable": 0 } }, + "PlagueDoctor/audiobookshelf-bf": { + "path": "scenarios/PlagueDoctor/audiobookshelf-bf.yaml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "cce65b68389215d3f755b28d0ebe22a30da59e054e1abcb81209ae74dd4563cd", + "deprecated": false + } + }, + "long_description": "IyBEZXNjcmlwdGlvbgoKRGV0ZWN0IGZhaWxlZCBBdWRpb2Jvb2tzaGVsZiBhdXRoZW50aWNhdGlvbnM6CgotIDMgZmFpbGVkIGF1dGhlbnRpY2F0aW9uIGF0dGVtcHRzIHdpdGhpbiAxIG1pbnV0ZSBsZWFrc3BlZWQK", + "content": "IyBBdWRpb2Jvb2tzaGVsZiBicnV0ZWZvcmNlCnR5cGU6IGxlYWt5Cm5hbWU6IFBsYWd1ZURvY3Rvci9hdWRpb2Jvb2tzaGVsZi1iZgpkZXNjcmlwdGlvbjogIkRldGVjdCBBdWRpb2Jvb2tzaGVsZiBicnV0ZWZvcmNlIGF0dGFja3MiCmZpbHRlcjogImV2dC5NZXRhLnNlcnZpY2UgPT0gJ2F1ZGlvYm9va3NoZWxmJyAmJiBldnQuTWV0YS5sb2dfdHlwZSA9PSAnYWJzX2ZhaWxlZF9hdXRoJyIKbGVha3NwZWVkOiAxbQpjYXBhY2l0eTogMwpncm91cGJ5OiBldnQuTWV0YS5zb3VyY2VfaXAKYmxhY2tob2xlOiA1bQpyZXByb2Nlc3M6IHRydWUKbGFiZWxzOgogICAgc2VydmljZTogYXVkaW9ib29rc2hlbGYKICAgIHR5cGU6IGJydXRlZm9yY2UKICAgIGNsYXNzaWZpY2F0aW9uOgogICAgICAgIC0gYXR0YWNrLlQxMTEwCiAgICByZW1lZGlhdGlvbjogdHJ1ZQogICAgYmVoYXZpb3I6IGh0dHA6YnJ1dGVmb3JjZQogICAgc3Bvb2ZhYmxlOiAwCiAgICBjb25maWRlbmNlOiAzCg==", + "description": "Detect Audiobookshelf bruteforce attacks", + "author": "PlagueDoctor", + "labels": { + "behavior": "http:bruteforce", + "classification": [ + "attack.T1110" + ], + "confidence": 3, + "remediation": true, + "service": "audiobookshelf", + "spoofable": 0, + "type": "bruteforce" + } + }, "a1ad/meshcentral-bf": { "path": "scenarios/a1ad/meshcentral-bf.yaml", "version": "0.2",