EXPLORE
Sign In
← Back to Explore
sigmalowTTP

Cleartext Protocol Usage

Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.

Detection Query

selection:
  dst_port:
    - 8080
    - 21
    - 80
    - 23
    - 50000
    - 1521
    - 27017
    - 3306
    - 1433
    - 11211
    - 15672
    - 5900
    - 5901
    - 5902
    - 5903
    - 5904
selection_allow1:
  action:
    - forward
    - accept
    - 2
selection_allow2:
  blocked: "false"
condition: selection and 1 of selection_allow*

Author

Alexandr Yampolskyi, SOC Prime, Tim Shelton

Created

2019-03-26

Data Sources

firewall

References

Tags

attack.credential-access
Raw Content
title: Cleartext Protocol Usage
id: d7fb8f0e-bd5f-45c2-b467-19571c490d7e
status: stable
description: |
    Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.
    Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.
references:
    - https://www.cisecurity.org/controls/cis-controls-list/
    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
author: Alexandr Yampolskyi, SOC Prime, Tim Shelton
date: 2019-03-26
modified: 2022-10-10
tags:
    - attack.credential-access
    # - CSC4
    # - CSC4.5
    # - CSC14
    # - CSC14.4
    # - CSC16
    # - CSC16.5
    # - NIST CSF 1.1 PR.AT-2
    # - NIST CSF 1.1 PR.MA-2
    # - NIST CSF 1.1 PR.PT-3
    # - NIST CSF 1.1 PR.AC-1
    # - NIST CSF 1.1 PR.AC-4
    # - NIST CSF 1.1 PR.AC-5
    # - NIST CSF 1.1 PR.AC-6
    # - NIST CSF 1.1 PR.AC-7
    # - NIST CSF 1.1 PR.DS-1
    # - NIST CSF 1.1 PR.DS-2
    # - ISO 27002-2013 A.9.2.1
    # - ISO 27002-2013 A.9.2.2
    # - ISO 27002-2013 A.9.2.3
    # - ISO 27002-2013 A.9.2.4
    # - ISO 27002-2013 A.9.2.5
    # - ISO 27002-2013 A.9.2.6
    # - ISO 27002-2013 A.9.3.1
    # - ISO 27002-2013 A.9.4.1
    # - ISO 27002-2013 A.9.4.2
    # - ISO 27002-2013 A.9.4.3
    # - ISO 27002-2013 A.9.4.4
    # - ISO 27002-2013 A.8.3.1
    # - ISO 27002-2013 A.9.1.1
    # - ISO 27002-2013 A.10.1.1
    # - PCI DSS 3.2 2.1
    # - PCI DSS 3.2 8.1
    # - PCI DSS 3.2 8.2
    # - PCI DSS 3.2 8.3
    # - PCI DSS 3.2 8.7
    # - PCI DSS 3.2 8.8
    # - PCI DSS 3.2 1.3
    # - PCI DSS 3.2 1.4
    # - PCI DSS 3.2 4.3
    # - PCI DSS 3.2 7.1
    # - PCI DSS 3.2 7.2
    # - PCI DSS 3.2 7.3
logsource:
    category: firewall
detection:
    selection:
        dst_port:
            - 8080
            - 21
            - 80
            - 23
            - 50000
            - 1521
            - 27017
            - 3306
            - 1433
            - 11211
            - 15672
            - 5900
            - 5901
            - 5902
            - 5903
            - 5904
    selection_allow1:
        action:
            - forward
            - accept
            - 2
    selection_allow2:
        blocked: "false" # not all fws set action value, but are set to mark as blocked or allowed or not
    condition: selection and 1 of selection_allow*
falsepositives:
    - Unknown
level: low