Potential macOS SSH Brute Force Detected

  1[metadata]
  2creation_date = "2020/11/16"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/05/18"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies a high number of inbound SSH login attempts on a macOS host within a short time window. On macOS, each
 11inbound SSH authentication attempt spawns the sshd-keygen-wrapper process once, whether the login succeeds or fails.
 12Adversaries may perform password brute force or password spraying against exposed SSH services to obtain unauthorized
 13access.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.*"]
 17language = "kuery"
 18license = "Elastic License v2"
 19name = "Potential macOS SSH Brute Force Detected"
 20references = ["https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/"]
 21risk_score = 47
 22rule_id = "ace1e989-a541-44df-93a8-a8b0591b63c0"
 23setup = """## Setup
 24
 25This rule requires data coming in from Elastic Defend.
 26
 27### Elastic Defend Integration Setup
 28Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 29
 30#### Prerequisite Requirements:
 31- Fleet is required for Elastic Defend.
 32- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 33
 34#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 35- Go to the Kibana home page and click "Add integrations".
 36- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 37- Click "Add Elastic Defend".
 38- Configure the integration name and optionally add a description.
 39- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 40- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 41- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 42- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 43For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 44- Click "Save and Continue".
 45- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 46For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 47"""
 48severity = "medium"
 49tags = [
 50    "Domain: Endpoint",
 51    "OS: macOS",
 52    "Use Case: Threat Detection",
 53    "Tactic: Credential Access",
 54    "Data Source: Elastic Defend",
 55    "Resources: Investigation Guide",
 56]
 57timestamp_override = "event.ingested"
 58type = "threshold"
 59
 60query = '''
 61event.category:process and host.os.type:macos and event.type:start and process.name:"sshd-keygen-wrapper" and process.parent.name:launchd
 62'''
 63note = """## Triage and analysis
 64
 65> **Disclaimer**:
 66> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 67
 68### Investigating Potential macOS SSH Brute Force Detected
 69
 70SSH (Secure Shell) is a protocol used to securely access remote systems. On macOS, each inbound SSH authentication attempt spawns
 71`sshd-keygen-wrapper` once before handing off to `sshd`, regardless of whether the login succeeds or fails. This rule uses that
 721:1 relationship as a proxy for high inbound SSH login attempt volume on a host. It does not detect SSH key generation or
 73key-based brute force activity.
 74
 75### Possible investigation steps
 76
 77- Review alert details for `host.os.type:macos`, `process.name:sshd-keygen-wrapper`, and `process.parent.name:launchd`.
 78- Examine the frequency and timing of `sshd-keygen-wrapper` process starts to determine if they suggest automated login attempts.
 79- Review SSH authentication logs on the affected host for failed and successful logins, source IP addresses, and targeted usernames.
 80- Determine whether Remote Login is expected to be enabled on this host (for example, build servers or developer workstations).
 81- Correlate the activity with other alerts or logs from the same host to identify additional indicators of compromise.
 82- Review user account activity on the host to determine if any accounts were accessed or modified unexpectedly.
 83
 84### False positive analysis
 85
 86- Build servers, developer workstations, or CI/CD pipelines that receive many legitimate inbound SSH connections may trigger this rule. Exclude known hosts or maintenance windows if the activity is expected.
 87- Automated deployment or configuration management tools that open many SSH sessions in a short period can cause false positives.
 88- Internet-facing SSH services may receive high volumes of scanning or credential-stuffing traffic from unrelated sources.
 89- Security scanners or health checks that repeatedly test SSH connectivity may generate elevated `sshd-keygen-wrapper` activity.
 90
 91### Response and remediation
 92
 93- Review SSH authentication logs to identify source IPs, targeted accounts, and whether any logins succeeded.
 94- If unauthorized access is suspected, isolate the affected macOS host from the network.
 95- Implement IP blocking or rate limiting on the SSH service to reduce further login attempts.
 96- Review and reset credentials for affected user accounts if compromise is confirmed.
 97- Conduct a thorough review of the host's SSH configuration and enabled Remote Login settings.
 98- Escalate to the security operations team if additional hosts show similar patterns.
 99- Enhance monitoring for SSH authentication anomalies across the environment."""
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104
105[[rule.threat.technique]]
106id = "T1110"
107name = "Brute Force"
108reference = "https://attack.mitre.org/techniques/T1110/"
109
110[rule.threat.tactic]
111id = "TA0006"
112name = "Credential Access"
113reference = "https://attack.mitre.org/tactics/TA0006/"
114
115[[rule.threat]]
116framework = "MITRE ATT&CK"
117
118[[rule.threat.technique]]
119id = "T1133"
120name = "External Remote Services"
121reference = "https://attack.mitre.org/techniques/T1133/"
122
123[rule.threat.tactic]
124id = "TA0001"
125name = "Initial Access"
126reference = "https://attack.mitre.org/tactics/TA0001/"
127[rule.threshold]
128field = ["host.id"]
129value = 20