security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "[Security Content] Investigation Guides Line breaks refactor (#2412)" (#2453)

Browse Source 
This reverts commit d1481e1a88.
This commit is contained in:
Terrance DeJesus
2023-01-09 10:44:54 -05:00
committed by GitHub
parent d1481e1a88
commit b1a689b6fd
182 changed files with 3481 additions and 1606 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/credential_access_potential_linux_ssh_bruteforce.toml
+10 -5
View File
@@ -3,7 +3,7 @@ creation_date = "2022/09/14"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/11/28"
updated_date = "2022/09/23"
[rule]
author = ["Elastic"]
@@ -21,7 +21,8 @@ note = """## Triage and analysis
### Investigating Potential SSH Brute Force Attack
The rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.
The rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the
same target host indicating brute force login attempts.
#### Possible investigation steps
@@ -40,10 +41,14 @@ The rule identifies consecutive SSH login failures targeting a user account from
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved hosts to prevent further post-compromise behavior.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
identified.
- Reset passwords for these accounts and other potentially compromised credentials.
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
malware components.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
mean time to respond (MTTR).
"""
risk_score = 47