OpenCanary - SSH Login Attempt
Detects instances where an SSH service on an OpenCanary node has had a login attempt.
Sigma rule (View on GitHub)
1title: OpenCanary - SSH Login Attempt
2id: ff7139bc-fdb1-4437-92f2-6afefe8884cb
3status: experimental
4description: Detects instances where an SSH service on an OpenCanary node has had a login attempt.
5references:
6 - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
7 - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
8author: Security Onion Solutions
9date: 2024-03-08
10tags:
11 - attack.initial-access
12 - attack.lateral-movement
13 - attack.persistence
14 - attack.t1133
15 - attack.t1021
16 - attack.t1078
17logsource:
18 category: application
19 product: opencanary
20detection:
21 selection:
22 logtype: 4002
23 condition: selection
24falsepositives:
25 - Unlikely
26level: high
References
-
Configuration Since we have many services, and each service has a few options, we have listed them all for you. Services Configuration We have gone ahead and listed all the services by their config...
Read More -
Modular and decentralised honeypot. Contribute to thinkst/opencanary development by creating an account on GitHub.
Read More
Related rules
- OpenCanary - SSH New Connection Attempt
- Failed Logon From Public IP
- Password Provided In Command Line Of Net.EXE
- AWS Suspicious SAML Activity
- Account Tampering - Suspicious Failed Logon Reasons