heroui logo

Potential Linux Local Account Brute Force Detected

Elastic Detection Rules

View Source
Summary
The rule detects multiple consecutive login attempts targeting local Linux user accounts, which may indicate brute force attacks. Specifically, it monitors the execution of the 'su' command—a utility used to switch user accounts—executed by a process within a short time span. The detection criteria use a sequence-based query to analyze process parent executables, event types, and user IDs. Known legitimate parent processes are excluded to avoid false positives. If a suspicious pattern is identified, it is highly advisable to investigate the source host activity, analyze the targeted user accounts, and review associated security alerts. The rule also includes triage and analysis guidance, possible false positive scenarios, and response actions to take in case of detection.
Categories
  • Endpoint
  • Linux
Data Sources
  • Process
  • Logon Session
  • Command
ATT&CK Techniques
  • T1110
  • T1110.001
Created: 2023-07-26