Possible brute force on sudo user

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

10 Minutes

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force: Password Guessing (T1110.001)

Severity

Informational

Description

A user executed an unusual amount of sudo commands in a short time period.
This may indicate an attempt to guess the sudo password.

Attacker's Goals

The attacker may gain full privileges to the host.

Investigative actions

Verify which user ran these commands and if it is a legitimate behavior on this host.

Variations

Possible brute force on sudo user

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force: Password Guessing (T1110.001)

Severity

Low

Description

A user executed an unusual amount of sudo commands in a short time period.
This may indicate an attempt to guess the sudo password.

Attacker's Goals

The attacker may gain full privileges to the host.

Investigative actions

Verify which user ran these commands and if it is a legitimate behavior on this host.