heroui logo

Potential SSH Brute Force Detected on Privileged Account

Elastic Detection Rules

View Source
Summary
This detection rule identifies potential brute force attacks on privileged accounts, specifically targeting SSH login failures for root or admin accounts from the same source IP address. By monitoring logs from specified indices for multiple consecutive failed SSH login attempts, the rule can effectively highlight attempts to obtain unauthorized access to privileged accounts within a specified time interval. The detection logic uses a sequence query in EQL (Event Query Language) which groups login failures by host ID and source IP, focusing on events associated with Linux systems. It requires at least three consecutive failures within ten seconds, indicating a possible brute-force attack. The rule also includes guidance on triage, false positive analysis, and response remediation steps, detailing actions that can reduce the impact of such attacks.
Categories
  • Endpoint
  • Linux
Data Sources
  • Logon Session
  • Network Traffic
  • Application Log
ATT&CK Techniques
  • T1110
  • T1110.001
  • T1110.003
  • T1021
  • T1021.004
Created: 2022-09-14