[metadata] creation_date = "2022/09/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2022/09/23" [rule] author = ["Elastic"] description = """ Identifies multiple consecutive login failures targeting an user account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts. """ from = "now-9m" index = ["auditbeat-*", "logs-system.auth-*"] language = "eql" license = "Elastic License v2" name = "Potential Linux SSH Brute Force Detected" note = """## Triage and analysis ### Investigating Potential SSH Brute Force Attack The rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts. #### Possible investigation steps - Investigate the login failure user name(s). - Investigate the source IP address of the failed ssh login attempt(s). - Investigate other alerts associated with the user/host during the past 48 hours. - Identify the source and the target computer and their roles in the IT environment. ### False positive analysis - Authentication misconfiguration or obsolete credentials. - Service account password expired. - Infrastructure or availability issue. ### Response and remediation - Initiate the incident response process based on the outcome of the triage. - Isolate the involved hosts to prevent further post-compromise behavior. - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. - Reset passwords for these accounts and other potentially compromised credentials. - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ risk_score = 47 rule_id = "1c27fa22-7727-4dd3-81c0-de6da5555feb" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"] type = "eql" query = ''' sequence by host.id, source.ip, user.name with maxspan=10s [authentication where event.action in ("ssh_login", "user_login") and event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=10 ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" [[rule.threat.technique.subtechnique]] id = "T1110.001" name = "Password Guessing" reference = "https://attack.mitre.org/techniques/T1110/001/" [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/"