Failed Logins with Different Accounts from Single Source - Linux
Detects suspicious failed logins with different user accounts from a single source system
Sigma rule (View on GitHub)
1title: Failed Logins with Different Accounts from Single Source - Linux
2id: fc947f8e-ea81-4b14-9a7b-13f888f94e18
3status: unsupported
4description: Detects suspicious failed logins with different user accounts from a single source system
5author: Florian Roth (Nextron Systems)
6date: 2017/02/16
7modified: 2023/03/24
8tags:
9 - attack.credential_access
10 - attack.t1110
11logsource:
12 product: linux
13 service: auth
14detection:
15 selection:
16 pam_message: authentication failure
17 pam_user: '*'
18 pam_rhost: '*'
19 timeframe: 24h
20 condition: selection | count(pam_user) by pam_rhost > 3
21falsepositives:
22 - Terminal servers
23 - Jump servers
24 - Workstations with frequently changing users
25level: medium
Related rules
- Sign-in Failure Bad Password Threshold
- External Remote Service Logon from Public IP
- Stored Credentials in Fake Files
- Possible Impacket GetUserSPNs Activity
- Mimikatz Command Line With Ticket Export