rules/macos/credential_access_potential_macos_ssh_bruteforce.toml

[metadata]
creation_date = "2020/11/16"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/02/22"

[rule]
author = ["Elastic"]
description = """
Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a
brute force attack to obtain unauthorized access to user accounts.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential macOS SSH Brute Force Detected"
references = ["https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/"]
risk_score = 47
rule_id = "ace1e989-a541-44df-93a8-a8b0591b63c0"
severity = "medium"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"]
type = "threshold"

query = '''
event.category:process and host.os.type:macos and event.type:start and process.name:"sshd-keygen-wrapper" and process.parent.name:launchd
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1110"
name = "Brute Force"
reference = "https://attack.mitre.org/techniques/T1110/"


[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"

[rule.threshold]
field = ["host.id"]
value = 20
[New Rule] Potential SSH Bruteforce Detected (#538 ) 2020-12-04 17:18:03 +01:00			`[metadata]`
			`creation_date = "2020/11/16"`
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429 ) 2023-01-04 09:30:07 -05:00			`integration = ["endpoint"]`
[New Rule] Potential SSH Bruteforce Detected (#538 ) 2020-12-04 17:18:03 +01:00			`maturity = "production"`
min_stack all rules to 8.3 (#2259 ) 2022-08-24 10:38:49 -06:00			`min_stack_comments = "New fields added: required_fields, related_integrations, setup"`
			`min_stack_version = "8.3.0"`
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 ) 2023-03-05 09:41:19 -09:00			`updated_date = "2023/02/22"`
[New Rule] Potential SSH Bruteforce Detected (#538 ) 2020-12-04 17:18:03 +01:00
			`[rule]`
			`author = ["Elastic"]`
			`description = """`
Update License to Elastic v2 (#944 ) 2021-03-03 22:12:11 -09:00			`Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a`
			`brute force attack to obtain unauthorized access to user accounts.`
[New Rule] Potential SSH Bruteforce Detected (#538 ) 2020-12-04 17:18:03 +01:00			`"""`
			`from = "now-9m"`
			`index = ["auditbeat-", "logs-endpoint.events."]`
			`language = "kuery"`
Update License to Elastic v2 (#944 ) 2021-03-03 22:12:11 -09:00			`license = "Elastic License v2"`
[Rule Tuning] adjust duplicate ssh brute force rule names and add unit test (#2321 ) 2022-09-26 10:04:38 -04:00			`name = "Potential macOS SSH Brute Force Detected"`
[New Rule] Potential SSH Bruteforce Detected (#538 ) 2020-12-04 17:18:03 +01:00			`references = ["https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/"]`
			`risk_score = 47`
			`rule_id = "ace1e989-a541-44df-93a8-a8b0591b63c0"`
			`severity = "medium"`
			`tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"]`
			`type = "threshold"`

			`query = '''`
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 ) 2023-03-05 09:41:19 -09:00			`event.category:process and host.os.type:macos and event.type:start and process.name:"sshd-keygen-wrapper" and process.parent.name:launchd`
[New Rule] Potential SSH Bruteforce Detected (#538 ) 2020-12-04 17:18:03 +01:00			`'''`


			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1110"`
			`name = "Brute Force"`
			`reference = "https://attack.mitre.org/techniques/T1110/"`


			`[rule.threat.tactic]`
			`id = "TA0006"`
			`name = "Credential Access"`
			`reference = "https://attack.mitre.org/tactics/TA0006/"`

			`[rule.threshold]`
Update schema for threshold rule type for 7.12 (#976 ) 2021-03-05 14:35:50 -09:00			`field = ["host.id"]`
[New Rule] Potential SSH Bruteforce Detected (#538 ) 2020-12-04 17:18:03 +01:00			`value = 20`
Update License to Elastic v2 (#944 ) 2021-03-03 22:12:11 -09:00