Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects brute force attacks targeting Windows OpenSSH server through multiple invalid user authentication attempts.

Strategy

This rule monitors Windows OpenSSH server events where @evt.id is 4 from the sshd process when @Event.EventData.Data.payload contains Invalid user messages. The detection triggers when more than three distinct invalid user attempts occur, indicating potential credential stuffing or brute force attacks. OpenSSH servers log failed authentication attempts when attackers try to authenticate with non-existent usernames, providing a reliable indicator of reconnaissance and brute force activity targeting the SSH service.

Triage and response

• Examine the source IP addresses attempting SSH connections to {{host}} and determine if they represent legitimate user locations or suspicious external sources.
• Review the specific invalid usernames being attempted to understand the attacker’s reconnaissance methodology and target identification.
• Check for any successful SSH authentication attempts from the same source addresses following the invalid user attempts.
• Analyze network logs to identify the scope of the brute force campaign and other systems that may be targeted.
• Consider implementing SSH access controls, fail2ban rules, or network-level blocking to prevent continued brute force attempts.