|
| 1 | +[metadata] |
| 2 | +creation_date = "2023/07/26" |
| 3 | +integration = ["endpoint"] |
| 4 | +maturity = "production" |
| 5 | +min_stack_comments = "New fields added: required_fields, related_integrations, setup" |
| 6 | +min_stack_version = "8.3.0" |
| 7 | +updated_date = "2023/07/26" |
| 8 | + |
| 9 | +[rule] |
| 10 | +author = ["Elastic"] |
| 11 | +description = """ |
| 12 | +Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a |
| 13 | +short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a |
| 14 | +set of customly crafted passwords in an attempt to gain access to these accounts. |
| 15 | +""" |
| 16 | +from = "now-9m" |
| 17 | +index = ["logs-endpoint.events.*"] |
| 18 | +language = "eql" |
| 19 | +license = "Elastic License v2" |
| 20 | +name = "Potential Linux Local Account Brute Force Detected" |
| 21 | +risk_score = 47 |
| 22 | +rule_id = "835c0622-114e-40b5-a346-f843ea5d01f1" |
| 23 | +severity = "medium" |
| 24 | +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] |
| 25 | +type = "eql" |
| 26 | +query = ''' |
| 27 | +sequence by host.id, process.parent.executable, user.name with maxspan=1s |
| 28 | +[ process where host.os.type == "linux" and event.type == "start" and |
| 29 | + event.action == "exec" and process.name == "su" ] with runs=10 |
| 30 | +''' |
| 31 | + |
| 32 | +[[rule.threat]] |
| 33 | +framework = "MITRE ATT&CK" |
| 34 | + |
| 35 | +[[rule.threat.technique]] |
| 36 | +id = "T1110" |
| 37 | +name = "Brute Force" |
| 38 | +reference = "https://attack.mitre.org/techniques/T1110/" |
| 39 | + |
| 40 | +[[rule.threat.technique.subtechnique]] |
| 41 | +id = "T1110.001" |
| 42 | +name = "Password Guessing" |
| 43 | +reference = "https://attack.mitre.org/techniques/T1110/001/" |
| 44 | + |
| 45 | +[rule.threat.tactic] |
| 46 | +id = "TA0006" |
| 47 | +name = "Credential Access" |
| 48 | +reference = "https://attack.mitre.org/tactics/TA0006/" |
0 commit comments