frack113
26 lines
675 B
YAML
26 lines
675 B
YAML
title: Failed Logins with Different Accounts from Single Source System
|
|
id: fc947f8e-ea81-4b14-9a7b-13f888f94e18
|
|
status: test
|
|
description: Detects suspicious failed logins with different user accounts from a single source system
|
|
author: Florian Roth
|
|
date: 2017/02/16
|
|
modified: 2021/11/27
|
|
logsource:
|
|
product: linux
|
|
service: auth
|
|
detection:
|
|
selection:
|
|
pam_message: authentication failure
|
|
pam_user: '*'
|
|
pam_rhost: '*'
|
|
timeframe: 24h
|
|
condition: selection | count(pam_user) by pam_rhost > 3
|
|
falsepositives:
|
|
- Terminal servers
|
|
- Jump servers
|
|
- Workstations with frequently changing users
|
|
level: medium
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1110
|