aiwg
Version:
Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo
56 lines (55 loc) • 1.82 kB
YAML
title: SSH Brute Force Success
id: 7a3f9c1e-2d4b-4e8a-b6f5-0c9d8e1a2b3c
status: stable
description: Detects IP addresses that had failed SSH login attempts followed by successful
authentication from the same source IP, indicating a brute force attack that succeeded.
references:
- https://attack.mitre.org/techniques/T1110/001/
- https://www.sans.org/blog/finding-the-root-cause-of-an-ssh-brute-force-attack/
author: forensics-complete
date: 2025-11-14
modified: 2025-11-14
tags:
- attack.credential_access
- attack.t1110.001
- attack.persistence
- attack.t1078
logsource:
product: linux
service: auth
detection:
selection_failed:
auth_event: 'Failed password'
selection_success:
auth_event:
- 'Accepted password'
- 'Accepted publickey'
timeframe: 24h
condition: selection_failed and selection_success | same src_ip within timeframe
falsepositives:
- Legitimate users who mistype their password before successfully authenticating
- Password manager rotation followed by correct authentication
- Automated provisioning systems with retry logic
level: high
fields:
- src_ip
- user
- auth_method
- timestamp
# Detection Logic Note
#
# This rule requires correlation across log entries. The following commands
# implement the detection logic manually when a SIEM is not available:
#
# # Extract failed login IPs
# grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort -u > /tmp/failed.txt
#
# # Extract successful login IPs
# grep "Accepted" /var/log/auth.log | awk '{print $11}' | sort -u > /tmp/success.txt
#
# # Find IPs in both
# comm -12 <(sort /tmp/failed.txt) <(sort /tmp/success.txt)
#
# A result from the above commands indicates brute force success.
# Apply red-flag-escalation.md procedures when this condition is confirmed.