2020-01-30 17:26:09 +01:00
|
|
|
title: Failed Logins with Different Accounts from Single Source System
|
2019-11-12 23:12:27 +01:00
|
|
|
id: fc947f8e-ea81-4b14-9a7b-13f888f94e18
|
2020-09-13 22:03:04 -06:00
|
|
|
status: experimental
|
|
|
|
|
description: Detects suspicious failed logins with different user accounts from a single source system
|
2020-01-30 15:32:39 +01:00
|
|
|
author: Florian Roth
|
|
|
|
|
date: 2017/02/16
|
2017-02-16 18:02:26 +01:00
|
|
|
logsource:
|
|
|
|
|
product: linux
|
2017-09-11 00:35:52 +02:00
|
|
|
service: auth
|
2017-01-11 00:26:22 +01:00
|
|
|
detection:
|
|
|
|
|
selection:
|
2019-11-12 23:12:27 +01:00
|
|
|
pam_message: authentication failure
|
2018-06-28 09:30:12 +02:00
|
|
|
pam_user: '*'
|
|
|
|
|
pam_rhost: '*'
|
2019-11-12 23:12:27 +01:00
|
|
|
timeframe: 24h
|
2017-01-11 00:26:22 +01:00
|
|
|
condition: selection | count(pam_user) by pam_rhost > 3
|
|
|
|
|
falsepositives:
|
|
|
|
|
- Terminal servers
|
|
|
|
|
- Jump servers
|
2019-11-12 23:12:27 +01:00
|
|
|
- Workstations with frequently changing users
|
2017-02-16 18:02:26 +01:00
|
|
|
level: medium
|
2021-09-07 18:16:46 +02:00
|
|
|
tags:
|
|
|
|
|
- attack.credential_access
|
|
|
|
|
- attack.t1110
|
