SSH login by password guesser from Zeek

Goal

Detect the SSH login by password guesser notice.

Strategy

This rule monitors Zeek logs for the notice SSH::Login_By_Password_Guesser. The notice is generated if a successful login attempt is detected for a host that has been previously identified as a “password guesser”.

Triage and response

  1. Identify the owners of the host that has been accessed.
  2. Work with the team to understand if this authentication was expected/legitimate.
  3. If it is determined that the activity is malicious:
    • Block the IP address, if it aligns with organization incident response processes.
    • Begin your organization’s incident response process and investigate.