Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect the SSH login by password guesser notice.

Strategy

This rule monitors Zeek logs for the notice SSH::Login_By_Password_Guesser. The notice is generated if a successful login attempt is detected for a host that has been previously identified as a “password guesser”.

Triage and response

1. Identify the owners of the host that has been accessed.
2. Work with the team to understand if this authentication was expected/legitimate.
3. If it is determined that the activity is malicious:
   • Block the IP address, if it aligns with organization incident response processes.
   • Begin your organization’s incident response process and investigate.