id: known-default-account

info:
  name: PfSense Known Default Account - Detect
  author: pussycat0x
  severity: info
  description: |
    PfSense configured known default accounts are recommended to be deleted. In order to attempt access to known devices' platforms, an attacker can use the available database of the known default accounts for each platform or operating system. Known default accounts are often, but not limited to, 'admin'.
  reference: |
    - https://docs.netgate.com/pfsense/en/latest/usermanager/defaults.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0
    cwe-id: CWE-200
  tags: audit,config,file,firewall,pfsense

file:
  - extensions:
      - xml

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "<name>admin</name>"
          - "<descr><![CDATA[System Administrator]]></descr>"
          - "<priv>user-shell-access</priv>"
        condition: and

# Enhanced by md on 2023/05/04
# digest: 490a00463044022063556ee4b394affce60a28ef8106e7bafe299aaee1d4e84e1e295562373442bd022068de7e8f0dbacab446bc723067113de16f48cb61438deb36b1fa2a0d79d9236b:922c64590222798bb761d5b6d8e72950