Default Credentials Usage

Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.

Rule Content

- title: Default Credentials Usage
  id: 1a395cbc-a84a-463a-9086-ed8a70e573c7
  description: Before deploying any new asset, change all default passwords to have
    values consistent with administrative level accounts. Sigma detects default credentials
    usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
  author: Alexandr Yampolskyi, SOC Prime
  status: stable
  references:
  - https://www.cisecurity.org/controls/cis-controls-list/
  - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
  - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
  - https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists
  date: 2019/03/26
  logsource:
    product: qualys
    service: null
    category: null
  detection:
    selection:
      host.scan.vuln:
      - 10693
      - 11507
      - 11633
      - 11804
      - 11821
      - 11847
      - 11867
      - 11931
      - 11935
      - 11950
      - 12541
      - 12558
      - 12559
      - 12560
      - 12562
      - 12563
      - 12565
      - 12587
      - 12590
      - 12599
      - 12702
      - 12705
      - 12706
      - 12907
      - 12928
      - 12929
      - 13053
      - 13178
      - 13200
      - 13218
      - 13241
      - 13253
      - 13274
      - 13296
      - 13301
      - 13327
      - 13373
      - 13374
      - 13409
      - 13530
      - 13532
      - 20065
      - 20073
      - 20081
      - 27202
      - 27358
      - 38702
      - 38719
      - 42045
      - 42417
      - 43029
      - 43220
      - 43221
      - 43222
      - 43223
      - 43225
      - 43246
      - 43431
      - 43484
      - 86857
      - 87098
      - 87106
    condition: selection
  falsepositives:
  - unknown
  level: medium
  tags:
  - CSC4
  - CSC4.2
  - NIST CSF 1.1 PR.AC-4
  - NIST CSF 1.1 PR.AT-2
  - NIST CSF 1.1 PR.MA-2
  - NIST CSF 1.1 PR.PT-3
  - ISO 27002-2013 A.9.1.1
  - ISO 27002-2013 A.9.2.2
  - ISO 27002-2013 A.9.2.3
  - ISO 27002-2013 A.9.2.4
  - ISO 27002-2013 A.9.2.5
  - ISO 27002-2013 A.9.2.6
  - ISO 27002-2013 A.9.3.1
  - ISO 27002-2013 A.9.4.1
  - ISO 27002-2013 A.9.4.2
  - ISO 27002-2013 A.9.4.3
  - ISO 27002-2013 A.9.4.4
  - PCI DSS 3.2 2.1
  - PCI DSS 3.2 7.1
  - PCI DSS 3.2 7.2
  - PCI DSS 3.2 7.3
  - PCI DSS 3.2 8.1
  - PCI DSS 3.2 8.2
  - PCI DSS 3.2 8.3
  - PCI DSS 3.2 8.7

Querying Elasticsearch

Import Libraries



In [ ]:

    
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client



In [ ]:

    
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')

Run Elasticsearch Query



In [ ]:

    
s = searchContext.query('query_string', query='host.scan.vuln:("10693" OR "11507" OR "11633" OR "11804" OR "11821" OR "11847" OR "11867" OR "11931" OR "11935" OR "11950" OR "12541" OR "12558" OR "12559" OR "12560" OR "12562" OR "12563" OR "12565" OR "12587" OR "12590" OR "12599" OR "12702" OR "12705" OR "12706" OR "12907" OR "12928" OR "12929" OR "13053" OR "13178" OR "13200" OR "13218" OR "13241" OR "13253" OR "13274" OR "13296" OR "13301" OR "13327" OR "13373" OR "13374" OR "13409" OR "13530" OR "13532" OR "20065" OR "20073" OR "20081" OR "27202" OR "27358" OR "38702" OR "38719" OR "42045" OR "42417" OR "43029" OR "43220" OR "43221" OR "43222" OR "43223" OR "43225" OR "43246" OR "43431" OR "43484" OR "86857" OR "87098" OR "87106")')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results



In [ ]:

    
df.head()