rules/linux/credential-access/T1110_ssh_failed_auth.yml

24 lines · yaml

title: SSH Authentication Failure
name: ssh_auth_failure
id: cc6fd1c9-b264-4be8-bb53-b6f4e2af9776
status: experimental
description: Base detection for a single failed SSH authentication, used by the brute-force correlation.
references:
  - https://attack.mitre.org/techniques/T1110/
author: Zion Boggan
date: 2026-05-15
tags:
  - attack.credential_access
  - attack.t1110
logsource:
  product: linux
  service: sshd
detection:
  selection:
    - Message|contains: 'Failed password for'
    - Message|contains: 'Invalid user'
    - Message|startswith: 'Connection closed by authenticating user'
  condition: selection
falsepositives:
  - Users fat-fingering passwords; the correlation rule is what should alert.
level: informational

1	title: SSH Authentication Failure
2	name: ssh_auth_failure
3	id: cc6fd1c9-b264-4be8-bb53-b6f4e2af9776
4	status: experimental
5	description: Base detection for a single failed SSH authentication, used by the brute-force correlation.
6	references:
7	- https://attack.mitre.org/techniques/T1110/
8	author: Zion Boggan
9	date: 2026-05-15
10	tags:
11	- attack.credential_access
12	- attack.t1110
13	logsource:
14	product: linux
15	service: sshd
16	detection:
17	selection:
18	- Message\|contains: 'Failed password for'
19	- Message\|contains: 'Invalid user'
20	- Message\|startswith: 'Connection closed by authenticating user'
21	condition: selection
22	falsepositives:
23	- Users fat-fingering passwords; the correlation rule is what should alert.
24	level: informational