Potential Linux Local Account Brute Force Detected

 1[metadata]
 2creation_date = "2023/07/26"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/08/24"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a 
13short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a 
14set of customly crafted passwords in an attempt to gain access to these accounts.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Linux Local Account Brute Force Detected"
21risk_score = 47
22rule_id = "835c0622-114e-40b5-a346-f843ea5d01f1"
23severity = "medium"
24tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
25type = "eql"
26query = '''
27sequence by host.id, process.parent.executable, user.id with maxspan=1s
28 [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "su" and 
29  not process.parent.name in (
30   "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "clickhouse-server"
31  )] with runs=10
32'''
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36
37[[rule.threat.technique]]
38id = "T1110"
39name = "Brute Force"
40reference = "https://attack.mitre.org/techniques/T1110/"
41
42[[rule.threat.technique.subtechnique]]
43id = "T1110.001"
44name = "Password Guessing"
45reference = "https://attack.mitre.org/techniques/T1110/001/"
46
47[rule.threat.tactic]
48id = "TA0006"
49name = "Credential Access"
50reference = "https://attack.mitre.org/tactics/TA0006/"