Skip to content

Commit 0666b59

Browse files
authored
[New Rule] Linux Local Account Brute Force (#2965)
1 parent 0ff50ac commit 0666b59

File tree

1 file changed

+48
-0
lines changed

1 file changed

+48
-0
lines changed
Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
[metadata]
2+
creation_date = "2023/07/26"
3+
integration = ["endpoint"]
4+
maturity = "production"
5+
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6+
min_stack_version = "8.3.0"
7+
updated_date = "2023/07/26"
8+
9+
[rule]
10+
author = ["Elastic"]
11+
description = """
12+
Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a
13+
short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a
14+
set of customly crafted passwords in an attempt to gain access to these accounts.
15+
"""
16+
from = "now-9m"
17+
index = ["logs-endpoint.events.*"]
18+
language = "eql"
19+
license = "Elastic License v2"
20+
name = "Potential Linux Local Account Brute Force Detected"
21+
risk_score = 47
22+
rule_id = "835c0622-114e-40b5-a346-f843ea5d01f1"
23+
severity = "medium"
24+
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"]
25+
type = "eql"
26+
query = '''
27+
sequence by host.id, process.parent.executable, user.name with maxspan=1s
28+
[ process where host.os.type == "linux" and event.type == "start" and
29+
event.action == "exec" and process.name == "su" ] with runs=10
30+
'''
31+
32+
[[rule.threat]]
33+
framework = "MITRE ATT&CK"
34+
35+
[[rule.threat.technique]]
36+
id = "T1110"
37+
name = "Brute Force"
38+
reference = "https://attack.mitre.org/techniques/T1110/"
39+
40+
[[rule.threat.technique.subtechnique]]
41+
id = "T1110.001"
42+
name = "Password Guessing"
43+
reference = "https://attack.mitre.org/techniques/T1110/001/"
44+
45+
[rule.threat.tactic]
46+
id = "TA0006"
47+
name = "Credential Access"
48+
reference = "https://attack.mitre.org/tactics/TA0006/"

0 commit comments

Comments
 (0)